All Practice Exams
100+ Free IBITGQ C-DORA Practice Questions
IBITGQ Certified DORA Foundation & Practitioner (C-DORA) practice questions are available now; exam metadata is being verified.
✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0
Which of the following penalties for non-compliance with DORA is correct?
A
B
C
D
to track
2026 Statistics
Key Facts: IBITGQ C-DORA Exam
17 Jan 2025
DORA Application Date
EU Regulation 2022/2554
20+ types
In-Scope Financial Entity Types
DORA Article 2
4h / 24h
Initial Major Incident Notification
DORA RTS 2025/301
Every 3 years
TLPT Minimum Frequency
DORA Article 26
ISO 17024
Accreditation Standard
IBITGQ / GASQ
60 min
Foundation Exam Duration
IBITGQ / GASQ
The IBITGQ C-DORA Foundation is a 60-minute multiple-choice exam covering DORA's regulatory scope, ICT risk management lifecycle, incident reporting timelines, resilience testing requirements (including TLPT), ICT third-party risk management, and governance. The Practitioner level focuses on implementing DORA requirements and designing resilience programmes. Both exams are ISO 17024-accredited and delivered online via GASQ automated proctoring.
Sample IBITGQ C-DORA Practice Questions
Try these sample questions to test your IBITGQ C-DORA exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.
1On which date did EU Regulation 2022/2554 (DORA) become applicable to in-scope financial entities?
A.17 January 2025
B.16 January 2023
C.1 January 2024
D.31 December 2024
Explanation: DORA entered into force on 16 January 2023 but became applicable — meaning compliance was mandatory — from 17 January 2025. The two-year gap was the implementation period for financial entities to build their ICT risk management frameworks, incident reporting processes, and third-party risk programmes.
2Which EU regulation number codifies the Digital Operational Resilience Act?
A.Regulation (EU) 2022/2554
B.Regulation (EU) 2016/679
C.Directive (EU) 2022/2555
D.Regulation (EU) 2019/881
Explanation: DORA is officially Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector. It is a directly applicable regulation, not a directive, meaning it does not require national transposition.
3DORA applies to approximately how many different types of financial entities?
A.5 types
B.10 types
C.20 types
D.50 types
Explanation: DORA applies to more than 20 types of financial entities operating in the EU, encompassing over 22,000 entities. The broad scope includes credit institutions, insurance companies, investment firms, payment institutions, e-money institutions, crypto-asset service providers, credit rating agencies, trading venues, central counterparties, and more.
4Which of the following entities is explicitly in scope for DORA?
A.Crypto-asset service providers operating in the EU
B.EU member state central government ministries
C.Social media companies hosting financial advertising
D.Non-financial multinational corporations with treasury functions
Explanation: Crypto-asset service providers (CASPs) operating in the EU are explicitly listed in DORA's scope. DORA Article 2 enumerates more than 20 categories of financial entity, of which CASPs are one. Government ministries, social media companies, and non-financial corporations are not in scope.
5The proportionality principle under DORA means that financial entities must implement DORA obligations taking into account what?
A.Their size, overall risk profile, and the nature, scale, and complexity of their services
B.Their geographic location within the EU only
C.Only their annual turnover relative to a fixed EUR threshold
D.The number of employees in their ICT department
Explanation: DORA's proportionality principle (stated in recitals and reflected across articles) requires financial entities to implement obligations 'in accordance with the principle of proportionality, taking into account the size, overall risk profile, and the nature, scale, and complexity of their services, activities, and operations.' This means smaller or simpler entities may apply a less complex ICT risk framework, but proportionality does not eliminate any requirement entirely.
6Which three European Supervisory Authorities (ESAs) share joint oversight powers under DORA?
A.EBA, ESMA, and EIOPA
B.ECB, EBA, and ESRB
C.ESMA, EIOPA, and ENISA
D.EBA, ECB, and European Commission
Explanation: Under DORA, the three ESAs — the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA) — share joint oversight authority. They designate critical ICT third-party providers and conduct oversight through Joint Examination Teams (JETs).
7Under DORA, who bears ultimate responsibility for defining, approving, and overseeing the ICT risk management framework?
A.The management body of the financial entity
B.The Chief Information Security Officer (CISO)
C.The lead competent authority designated by the ESAs
D.The ICT risk management function head
Explanation: DORA Article 5 places ultimate, non-delegable responsibility on the management body (i.e., board of directors or equivalent governing body) for defining, approving, and overseeing the ICT risk management framework. Board members must maintain sufficient knowledge of the ICT risk landscape and can delegate tasks but not accountability.
8DORA requires financial entities to establish a dedicated ICT risk management function. Under Article 6(8), what key characteristic must this function have?
A.It must operate separately from first-line operational units and report directly to the management body
B.It must be housed within the IT operations team and report to the CTO
C.It must be outsourced to an accredited third-party risk firm
D.It must be merged with the compliance department to reduce costs
Explanation: DORA Article 6(8) requires the dedicated ICT risk management function to have sufficient authority, independence, and resources, to operate separately from first-line ICT operational units, and to report directly to the management body. This second-line independence mirrors the three-lines-of-defence model and prevents conflicts of interest.
9Which phases does the DORA ICT risk management lifecycle require financial entities to cover?
A.Identify, Protect, Detect, Respond, Recover, and Learn
B.Plan, Do, Check, Act
C.Assess, Mitigate, Transfer, Accept
D.Prevent, Detect, Contain, Remediate
Explanation: DORA Articles 8-14 describe a risk management lifecycle covering: identification of ICT assets and risks; protection and prevention measures; detection of anomalous activity; response and recovery from incidents; and communication and learning. This 'identify-protect-detect-respond-recover-learn' structure aligns with frameworks such as NIST CSF.
10Under DORA, financial entities must maintain an ICT asset catalogue. What is the primary purpose of this requirement?
A.To identify and document ICT assets supporting critical or important functions so risks can be assessed and managed
B.To allow the ESAs to directly access and audit all ICT systems in real time
C.To comply with GDPR's data mapping requirements for processing personal data
D.To submit a monthly inventory report to the national competent authority
Explanation: DORA Article 8 requires financial entities to identify, classify, and document all ICT assets (including hardware, software, data, ICT services, and processes) that support critical or important functions. This asset catalogue is foundational to risk identification — you cannot manage risks to assets you have not identified.
About the IBITGQ C-DORA Practice Questions
Verified exam format metadata for IBITGQ Certified DORA Foundation & Practitioner (C-DORA) is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.