Answers / Risk & Compliance

What does DORA require for ICT incident reporting, and how does it change operational resilience expectations for financial entities?

A core Risk & Compliance interview question — asked in analyst and associate interviews across IB, PE, and the Big 4.

THE SHORT ANSWER

DORA (the EU Digital Operational Resilience Act) sets harmonized rules for ICT risk across financial entities. Key pillars: an ICT risk-management framework; classification and mandatory reporting of major ICT-related incidents to competent authorities within defined timelines (initial, intermediate, final notifications); digital operational resilience testing, including threat-led penetration testing for significant firms; and management of ICT third-party risk, with oversight of critical providers like cloud vendors and contractual requirements. The shift is from treating IT outages as a back-office issue to a board-level resilience obligation with explicit regulatory reporting and testing — closing gaps where outsourced/cloud dependencies previously sat outside the supervisory perimeter.

WHAT INTERVIEWERS LISTEN FOR

  • ICT risk-management framework + governance
  • Mandatory major-incident reporting with set timelines
  • Resilience testing incl. threat-led pen testing
  • ICT third-party/critical-provider oversight

COMMON MISTAKES

  • Treating DORA as just an IT-security rule
  • Ignoring third-party/cloud scope
  • Unaware of incident-reporting timelines

Reading isn't the same as answering under pressure.

Interviewers don't hand you the model answer — you deliver yours on a clock. Practice this and 1,000+ questions with AI feedback on every answer.

TRY QUICKFIRE →Or train full Risk & Compliance case simulations →

RELATED QUESTIONS