What does DORA require for ICT incident reporting, and how does it change operational resilience expectations for financial entities?
A core Risk & Compliance interview question — asked in analyst and associate interviews across IB, PE, and the Big 4.
THE SHORT ANSWER
DORA (the EU Digital Operational Resilience Act) sets harmonized rules for ICT risk across financial entities. Key pillars: an ICT risk-management framework; classification and mandatory reporting of major ICT-related incidents to competent authorities within defined timelines (initial, intermediate, final notifications); digital operational resilience testing, including threat-led penetration testing for significant firms; and management of ICT third-party risk, with oversight of critical providers like cloud vendors and contractual requirements. The shift is from treating IT outages as a back-office issue to a board-level resilience obligation with explicit regulatory reporting and testing — closing gaps where outsourced/cloud dependencies previously sat outside the supervisory perimeter.
WHAT INTERVIEWERS LISTEN FOR
- ✓ICT risk-management framework + governance
- ✓Mandatory major-incident reporting with set timelines
- ✓Resilience testing incl. threat-led pen testing
- ✓ICT third-party/critical-provider oversight
COMMON MISTAKES
- ✗Treating DORA as just an IT-security rule
- ✗Ignoring third-party/cloud scope
- ✗Unaware of incident-reporting timelines
Reading isn't the same as answering under pressure.
Interviewers don't hand you the model answer — you deliver yours on a clock. Practice this and 1,000+ questions with AI feedback on every answer.
RELATED QUESTIONS
- How do you quantify operational risk?
- Why did Basel move from Value-at-Risk to Expected Shortfall for market risk under FRTB, and what does ES capture that VaR misses?
- What are the key risks in outsourcing and third-party arrangements, and what do supervisory expectations (e.g., EBA guidelines) require?
- How is climate risk being incorporated into the prudential and risk-management framework?
- What is BCBS 239, and why is risk-data aggregation and reporting capability a supervisory priority?
- Explain the COSO ERM framework.