PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free PECB DORA Foundation Practice Questions

Pass your PECB Certified DORA Foundation exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Under DORA, what is the maximum timeframe for submitting the initial notification of a major ICT-related incident to the competent authority?

A
B
C
D
to track
Same family resources

Explore More PECB Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

PECB / EXIN ISO/IEC 20000 Foundation

Practice Questions

PECB Certified Data Protection Officer (GDPR CDPO)

Practice Questions

PECB Certified DORA Lead Manager

Practice Questions

PECB Certified ISO/IEC 27001 Foundation

Practice Questions

PECB Certified ISO/IEC 27032 Lead Cybersecurity Manager

Practice Questions

PECB Certified ISO/IEC 27701 Lead Auditor (PIMS)

Practice Questions
2026 Statistics

Key Facts: PECB DORA Foundation Exam

17 January 2025

DORA Application Date

EU DORA Regulation (EU 2022/2554)

~20 entity types

DORA Scope

DORA Regulation, Article 2

4 hours

Initial Incident Notification (after classification)

DORA RTS on Incident Reporting

72 hours

Intermediate Incident Report Deadline

DORA RTS on Incident Reporting

Every 3 years

Minimum TLPT Frequency

DORA Article 26

70%

PECB Foundation Pass Mark

PECB

PECB DORA Foundation is PECB's introductory credential for the EU Digital Operational Resilience Act (Regulation EU 2022/2554), which became applicable on 17 January 2025. The exam covers approximately 40 MCQ in 60 minutes with a 70% pass mark, testing knowledge across two domains: fundamental ICT risk and digital operational resilience concepts, and core DORA framework requirements.

Sample PECB DORA Foundation Practice Questions

Try these sample questions to test your PECB DORA Foundation exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1On which date did the EU Digital Operational Resilience Act (DORA) become applicable to financial entities?
A.17 January 2025
B.17 January 2023
C.1 January 2024
D.17 July 2025
Explanation: DORA (Regulation EU 2022/2554) entered into application on 17 January 2025. The regulation was published in December 2022 and provided a 24-month transition period for financial entities to prepare for compliance.
2What is the primary objective of the Digital Operational Resilience Act (DORA)?
A.To ensure financial entities can withstand, respond to, and recover from ICT disruptions
B.To harmonise cybersecurity rules across all EU industries
C.To create a unified EU data protection framework for financial services
D.To regulate the use of artificial intelligence in banking operations
Explanation: DORA's primary objective is to ensure that financial entities in the EU can withstand, respond to, and recover from ICT-related disruptions and threats, including cyberattacks. It harmonises ICT risk management rules specifically for the financial sector.
3Which acronym describes the overall risk type that DORA specifically targets?
A.ICT risk
B.ORM
C.GDPR risk
D.ESG risk
Explanation: DORA targets ICT (Information and Communication Technology) risk — the risk of loss resulting from inadequate or failed internal processes related to ICT systems, or from external events impacting ICT availability, integrity, continuity, and security.
4Approximately how many types of financial entities fall within the scope of DORA?
A.5
B.10
C.20
D.50
Explanation: DORA explicitly covers approximately 20 different types of financial entities, including credit institutions, payment institutions, investment firms, insurance and reinsurance undertakings, crypto-asset service providers, and central counterparties, among others.
5Which of the following entity types is explicitly within the scope of DORA?
A.Crypto-asset service providers
B.General retailers processing card payments
C.Non-financial EU government agencies
D.Agricultural cooperatives
Explanation: Crypto-asset service providers (CASPs) are explicitly included in DORA's scope. They must comply with ICT risk management, incident reporting, and third-party risk requirements just like traditional financial entities.
6Under DORA, which body is responsible for defining and approving the ICT risk management framework at the highest governance level within a financial entity?
A.The ICT operations team
B.External auditors
C.The management body (board of directors)
D.The national competent authority
Explanation: DORA Article 5 places direct personal accountability on the management body (i.e., the board of directors or equivalent governing body) to define, approve, oversee, and be responsible for the ICT risk management framework. Board members must actively maintain sufficient knowledge and skills to assess ICT risk.
7Which DORA article establishes the requirement for financial entities to maintain a sound, comprehensive, and well-documented ICT risk management framework?
A.Article 3
B.Article 5
C.Article 6
D.Article 28
Explanation: DORA Article 6 mandates that financial entities maintain a comprehensive and well-documented ICT risk management framework covering risk identification, protection, detection, response and recovery, learning, and communication. The framework must be approved by the management body and reviewed at least annually.
8Under DORA's ICT risk management framework, what is the required minimum review frequency for the framework?
A.At least annually
B.Quarterly
C.Every three years
D.Only after a major incident
Explanation: DORA requires that the ICT risk management framework be reviewed at least annually, and also following any major ICT-related incidents or significant changes to ICT systems or the business environment. This ensures the framework remains current and effective.
9The five pillars of ICT risk management in DORA's framework include identify, protect, detect, respond, and which fifth element?
A.Recover
B.Audit
C.Report
D.Mitigate
Explanation: DORA's ICT risk management framework is built around five capability pillars: Identify, Protect, Detect, Respond, and Recover. The Recover pillar addresses restoring ICT systems and services after an incident, including business continuity and disaster recovery plans.
10DORA mandates that financial entities, other than microenterprises, assign responsibility for managing ICT risk to a dedicated control function. What key principle must this function uphold?
A.It must be staffed exclusively by external consultants
B.It must hold budget authority over all ICT investments
C.It must maintain appropriate independence to avoid conflicts of interest
D.It must report directly to the national competent authority
Explanation: DORA Article 6 requires that the ICT risk management control function maintains appropriate independence to avoid conflicts of interest. This three-lines-of-defense model ensures risk oversight is segregated from operational ICT functions.

About the PECB DORA Foundation Exam

Entry-level certification validating knowledge of the EU Digital Operational Resilience Act (DORA), ICT risk management fundamentals, incident reporting requirements, resilience testing obligations, and third-party risk management essentials for EU financial entities.

Questions

40 scored questions

Time Limit

60 minutes

Passing Score

70%

Exam Fee

Included with training course (PECB)

PECB DORA Foundation Exam Content Outline

~50%

Fundamental Concepts of ICT Risk Management and Digital Operational Resilience

DORA objectives, regulatory scope, key definitions, financial entity types, regulatory framework and ESAs, and the five pillars of the ICT risk management framework

~50%

DORA Requirements for an ICT Risk Management Framework

ICT risk management framework governance and structure, ICT incident reporting obligations and timelines, digital operational resilience testing including TLPT, and ICT third-party risk management essentials

How to Pass the PECB DORA Foundation Exam

What You Need to Know

  • Passing score: 70%
  • Exam length: 40 questions
  • Time limit: 60 minutes
  • Exam fee: Included with training course

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

PECB DORA Foundation Study Tips from Top Performers

1Memorise the three DORA incident reporting timelines: 4 hours (initial notification after classification), 72 hours (intermediate report after detection), 1 month (final report)
2Know the five ICT risk management framework pillars by heart: Identify, Protect, Detect, Respond, Recover
3Understand the difference between basic testing (all entities) and advanced TLPT (significant entities, at least every 3 years)
4Learn the DORA entity scope: ~20 types of financial entities including crypto-asset service providers and payment institutions
5Distinguish major ICT incidents (require regulatory reporting) from general ICT incidents (managed internally)
6Remember that DORA is a Regulation (not a Directive) — directly applicable in all EU member states without national transposition

Frequently Asked Questions

What is the PECB DORA Foundation exam format?

The PECB DORA Foundation exam consists of approximately 40 multiple-choice questions to be completed in 60 minutes. The exam is delivered online via PECB's proctored exam platform and requires a webcam, microphone, and stable internet connection. A passing score of 70% is required.

What does the PECB DORA Foundation exam cover?

The exam covers two domains: Domain 1 focuses on fundamental concepts of ICT risk management and digital operational resilience, including DORA's objectives, scope, and key definitions. Domain 2 covers DORA's requirements for an ICT risk management framework, including incident reporting timelines, resilience testing, and third-party risk management basics.

Who should take the PECB DORA Foundation certification?

PECB DORA Foundation is ideal for IT managers, risk managers, compliance officers, consultants, and ICT professionals working with or within EU financial entities subject to DORA. It provides a structured introduction to DORA obligations for those who need foundational regulatory awareness rather than full implementation expertise.

How many retakes are allowed for the PECB DORA Foundation exam?

One free retake is included within 12 months of course activation. There is no total limit on retake attempts, but a mandatory 15-day waiting period applies between each attempt. Additional attempts beyond the free retake require purchasing a separate PECB exam voucher.

What is the EU DORA regulation?

DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that became applicable on 17 January 2025. It requires approximately 22,000 financial entities (banks, insurers, investment firms, crypto-asset service providers, and others) to maintain robust ICT risk management frameworks, report major ICT incidents within defined timelines, conduct digital operational resilience testing, and manage ICT third-party risks rigorously.

What are the incident reporting timelines under DORA?

DORA requires a three-stage reporting process for major ICT incidents: an initial notification within 4 hours of classifying the incident as major (no later than 24 hours after first awareness), an intermediate report within 72 hours of initial detection, and a final report within 1 month of the initial notification. Reports are submitted to the entity's national competent authority.