DORA Foundation

In the context of Regulation (EU) 2022/2554 (DORA), the DORA Foundation course is an intermediate, structured and robust training programme designed for professionals who need to understand DORA with practical depth, but without yet entering the level of design and implementation leadership required in the DORA Compliance Lead Manager course.

Register
Companies: request a proposal

Quick Access:   Introduction· Why this course exists· What this course enables· Frameworks and topics· Value· Objectives· Target audience· Prerequisites· Programme· Exam & Certification· Other information· Benefits· Logistics· FAQs· Registration

Upcoming dates

Confirmed dates.
Synchronous, live training. Interaction with the trainer and the group.

1 June 2026
Live Online • next edition
25 September 2026
Live Online • base price
Duration: 2 days / 16h
Language: available in Portuguese or English
Training: practical and case-study based
Exam: 1h
PROFESSIONAL LEVEL — practical application of methods in a professional context.

Why this course exists

To create an intermediate foundation between role-based awareness and the advanced implementation pathway.

Between role-based awareness and the advanced implementation pathway, there is a clear need for intermediate training for professionals in GRC, compliance, risk, IT, security, legal, procurement, audit and operations.

The DORA Foundation course exists to create a solid understanding base, common language and structured reading capability of DORA, without anticipating the methodological and operational depth of the DORA Compliance Lead Manager course.

What this course enables you to do

Understand

Understand the structure, logic and main concepts of DORA.

Identify

Identify the main requirements by thematic domain and their practical relevance.

Relate

Relate chapters of the regulation to internal functions, processes and organisational evidence.

Prepare

Prepare teams for more informed participation in DORA compliance programmes, projects and assessments.

Frameworks, regulation and topics addressed throughout the course

Regulation (EU) 2022/2554 — DORA
Structure and chapters of the regulation
Governance and organisation
ICT risk management framework
ICT-related incident management
Classification and reporting
Digital operational resilience testing
TIBER-EU — overview
ICT third-party risk
Concentration, contracts and register of information
Information-sharing arrangements
Authorities and oversight

Value for the organisation

  • Common understanding base across critical functions.
  • Better alignment between regulatory language and practical execution.
  • Reduced ambiguity between risk, compliance, IT, security, legal and procurement.
  • Better preparation for projects, assessments, audit and regulatory interaction.

Introduction

The DORA Foundation course is an intermediate, structured and robust training programme designed for professionals who need to understand DORA with practical depth, but without yet entering the level of design and implementation leadership required in the DORA Compliance Lead Manager course.

The course addresses the fundamentals, framework, main requirements and their practical translation into governance, ICT risk, incidents, testing, third parties and evidence.

It includes a Behaviour final exam and Foundation certification.

This Training Plan and all associated documents are protected by Copyright and registered as a literary work with IGAC.

General Objectives

At the end of the training, participants should be able to:

  • Understand the fundamentals, scope and structure of the DORA Regulation.
  • Identify core obligations related to governance, ICT risk, incidents, testing and third parties.
  • Relate the main DORA chapters to organisational practices and internal functions.
  • Recognise the role of authorities, oversight and information-sharing mechanisms.
  • Distinguish between structured understanding of the regulation and advanced implementation of the framework.

Target Audience

  • Compliance, risk and GRC professionals.
  • IT, information security and cybersecurity professionals.
  • Business continuity, operational resilience and incident management professionals.
  • Legal, procurement and vendor management professionals involved in DORA-related topics.
  • Internal auditors, regulatory PMO and area owners with relevant participation in DORA initiatives.

Prerequisites

There are no mandatory formal prerequisites. However, professional experience in control, technology, risk, security, operations or compliance functions is recommended.

In addition, other specific requirements may apply, where relevant, depending on the quotation or proposal presented. Please consult the applicable proposal.

Programme

Introduction to DORA
  • Regulatory context
  • Objectives of the regulation
  • Scope of application
  • Essential concepts and definitions
  • Structure of the regulation and chapter-by-chapter overview
Governance and organisation
  • Role of the management body
  • Responsibilities, approval, supervision and accountability
  • Internal roles, responsibilities and reporting lines
  • Relationship between governance, control and evidence
ICT risk management framework
  • Structure of the ICT risk management framework
  • Strategies, policies, procedures, protocols and tools
  • Protection, prevention, detection, response and recovery
  • Review, internal audit and improvement
  • Digital operational resilience strategy
Incident management, classification and reporting
  • ICT-related incident management
  • Recording and handling of incidents and relevant threats
  • Incident classification
  • Escalation, communication and reporting
  • Lessons learned and post-incident improvement
Digital operational resilience testing
  • General testing requirements
  • Types of testing and practical usefulness
  • Overview of advanced testing and TLPT
  • Articulation with TIBER-EU
  • Value of testing for robustness, control and improvement
ICT third-party risk management
  • Third-party risk in the DORA context
  • Dependencies, criticality and concentration
  • Due diligence
  • Critical contractual elements
  • Monitoring, changes, audit and exit
  • Register of information
Information-sharing, oversight and authorities
  • Information-sharing arrangements
  • Overview of the oversight framework
  • Competent authorities and institutional articulation
  • What this means in practice for entities and teams
Consolidation and exam preparation
  • Review of key concepts
  • Consolidation by domains
  • Exam-style questions
  • Frequent interpretation errors

Exam(s) and Certification

Final exam “Certified DORA Foundation”

The final exam assesses the structured understanding of the regulation, its main requirements and its practical implications for governance, ICT risk, incidents, testing, third parties and organisational evidence.

The exam covers the following domains:

  • Domain 1: DORA fundamentals, scope and concepts
  • Domain 2: Governance and organisation + ICT risk management
  • Domain 3: ICT-related incident management, classification and reporting
  • Domain 4: Digital operational resilience testing
  • Domain 5: ICT third-party risk, concentration, contracts and register of information
  • Domain 6: Information-sharing arrangements, authorities and oversight

 

Language(s): Portuguese and English.
Duration: 1 hour.
Format: Multiple choice.
Number of questions: 40.
Pass mark: 70%.
Results: Pass or Fail.
Issuing entity: Behaviour (legal entity), through its certification service Behaviour Certification Services.
Retake: 1 free retake within a maximum period of 2 months after the result of the initial exam.

Certification

After successfully completing the exam and accepting or signing the applicable agreement and Code of Ethics, the candidate achieves the credential Certified DORA Foundation, issued by Behaviour (legal entity), through its certification service Behaviour Certification Services.

A Behaviour® professional certification, as a proprietary certification scheme, with international market recognition. The scheme is designed and operated based on good practices for personal certification, principles of impartiality and exam quality, and applicable international references, including the principles of ISO/IEC 17024.

A Certificate and a Digital Certification Badge will be issued to participants who successfully complete the certification exam and satisfy all requirements of the certification for which they are applying.

Certification programmes are valid only for individuals, not companies, and the award and maintenance of certification depend on the exam result, professional experience and compliance with the applicable agreement and Code of Ethics.

If the professional does not comply with the agreement or the Code of Ethics, the certification is not granted or is revoked.

Other Information

General Information
  • Training available in Portuguese or English.
  • Training materials available in Portuguese or English, in accordance with the awarded conditions.
  • Behaviour digital Training Attendance Certificate with 16 CPD/CPE credits.
  • Online Certification Exam, in Portuguese or English. The exam may be taken up to 2 months from the course start date.
  • If the candidate does not pass the exam, they are entitled to one free retake within a maximum period of 2 months from the release date of the initial exam result.
  • Digital Certification Diploma and Digital Certification Badge after passing the exam and completing the application process. This process has no associated cost.
Trainer(s)

The trainers are consultants with experience in governance, risk, compliance, cybersecurity, operational resilience and digital regulation, ensuring a clear, applied approach oriented towards the structured reading of DORA and its practical impact on organisations.

Benefits

View benefits
  • Creates a common understanding base across critical functions.
  • Improves alignment between regulatory language and practical execution.
  • Reduces ambiguity between risk, compliance, IT, security, legal and procurement.
  • Better prepares teams for projects, assessments, audit and regulatory interaction.
  • Facilitates later progression to more advanced pathways when required by the organisation.

Logistics

Useful information
  • Live Online (synchronous time): 09h30–13h00 and 14h00–17h30 (Lisbon time), with short breaks.
  • Classroom (synchronous time): 09h30–13h00 and 14h00–17h30 (Lisbon time), with short breaks.
  • 14 hours of synchronous training, distributed across 2 days, plus the final exam.
  • Requirements: computer with stable internet, updated browser, PDF reader and audio/video where applicable.
Hotels in Lisbon

Find out where you can stay in Lisbon, near Behaviour, for classroom training.

Frequently Asked Questions

Objective answers to the most common questions about the DORA Foundation course.

Is this course suitable for multidisciplinary teams attending the same edition?

Yes. DORA Foundation course is particularly useful when professionals from risk, compliance, IT, security, legal, procurement, audit and operations need to develop a common language and a structured reading of the regulation.

Does it help interpret internal evidence requests, gap assessments and action plans related to DORA?

Yes. The course helps participants better understand how the regulation’s chapters relate to processes, controls, evidence and internal responsibilities, improving the quality of interpretation of requests, gaps and improvement actions.

Can it serve as preparation before an assessment, internal audit or readiness review?

Yes. The course can work as a useful prior foundation for teams that will participate in assessments, readiness reviews, internal audits or regulatory preparation initiatives related to DORA.

Is it useful for professionals who do not work exclusively on DORA but need to intervene in recurring regulation topics?

Yes. Foundation is particularly useful for professionals who do not lead the DORA programme full time, but who regularly participate in topics such as ICT risk, incidents, testing, third parties, evidence or functional articulation.

Can it work as a common foundation before distributing work by domains such as incidents, third parties, testing or ICT risk?

Yes. The course helps create a common understanding base before deeper domain-specific work, making it easier to distribute responsibilities and carry out more specialised work by topic.

For general questions about registration, delivery modes, exams, certification and recertification, please consult the BEHAVIOUR® FAQs.

Registration

Complete the form to request your registration for the preferred edition. Check the upcoming dates.

Contact name
=

Request more information

If you would like help to frame the course within your professional or organisational context, contact us and we will indicate the most suitable path.

Request Information

Companies: request a proposal

For team registrations, we provide volume conditions and a proposal tailored to the organisational need.

Request Proposal

This course may be attended by individual professionals. It may also be integrated into foundation pathways for teams that need to understand DORA, its scope, pillars, requirements and organisational implications.