PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free DORA Lead Manager Practice Questions

Pass your PECB Certified DORA Lead Manager exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Which DORA article specifically addresses 'lessons learned and evolving' as part of the ICT risk management lifecycle?

A
B
C
D
to track
Same family resources

Explore More PECB Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

PECB / EXIN ISO/IEC 20000 Foundation

Practice Questions

PECB Certified Data Protection Officer (GDPR CDPO)

Practice Questions

PECB Certified ISO/IEC 27001 Foundation

Practice Questions

PECB Certified ISO/IEC 27032 Lead Cybersecurity Manager

Practice Questions

PECB Certified ISO/IEC 27701 Lead Auditor (PIMS)

Practice Questions

PECB Certified ISO/IEC 27701 Lead Implementer (PIMS)

Practice Questions
2026 Statistics

Key Facts: DORA Lead Manager Exam

17 Jan 2025

DORA Application Date

EU Official Journal

80 MCQ, 3h

Exam Format

PECB Candidate Handbook

Open-book

Exam Type

PECB

4h / 72h / 1mo

Incident Report Timelines

DORA Article 19

Every 3 years

TLPT Minimum Frequency

DORA Article 26

20+ entity types

DORA Scope

DORA Article 2

PECB Certified DORA Lead Manager is an open-book, 80-question, 3-hour MCQ exam covering the full EU DORA regulation (2022/2554). It targets professionals responsible for implementing or managing DORA compliance programmes in financial entities across ICT risk, incident reporting, resilience testing, and third-party risk domains.

Sample DORA Lead Manager Practice Questions

Try these sample questions to test your DORA Lead Manager exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Under DORA (Regulation EU 2022/2554), which body bears the ultimate responsibility for managing the financial entity's ICT risk?
A.The Chief Information Security Officer (CISO)
B.The management body (board of directors)
C.The ICT risk function
D.The external auditor
Explanation: Article 5 of DORA explicitly states that the management body bears the ultimate responsibility for managing the financial entity's ICT risk. The board must define, approve, oversee, and be responsible for the implementation of all arrangements related to the ICT risk management framework. This non-delegable accountability distinguishes DORA from softer guidance frameworks.
2DORA's ICT risk management framework (Article 6) must be reviewed by the management body at a minimum of how often?
A.Annually
B.Every six months
C.Every three years
D.Only after a major ICT incident
Explanation: Article 6(5) of DORA requires the ICT risk management framework to be reviewed at least once per year by the management body and after major ICT-related incidents. The annual review cadence ensures the framework remains aligned with the entity's risk profile and changes in the threat landscape.
3Which of the following entities is explicitly included in DORA's scope as a regulated financial entity?
A.Non-financial corporates using cloud computing
B.General IT outsourcing companies
C.Crypto-asset service providers (CASPs)
D.Public sector agencies providing payment services
Explanation: DORA Article 2 explicitly includes crypto-asset service providers (CASPs) authorised under MiCA among its 20+ categories of in-scope financial entities. DORA deliberately extended its scope to include emerging digital finance participants alongside traditional banks, insurers, and investment firms.
4Under DORA Article 5, members of the management body are required to maintain competence in ICT risk. How must this competence be kept up to date?
A.By following specific training on a regular basis
B.By delegating ICT risk oversight to the CRO
C.By appointing a dedicated Board ICT Risk Committee
D.By obtaining an external certification in cybersecurity
Explanation: DORA Article 5(4) requires members of the management body to actively maintain sufficient knowledge and skills to understand and assess ICT risk, including by following specific training on a regular basis. The regulation does not prescribe a particular certification or committee but mandates ongoing competency development.
5DORA's ICT risk management framework must be documented and cover which five core capability areas?
A.Plan, Do, Check, Act, and Report
B.Assess, Treat, Monitor, Communicate, and Review
C.Govern, Map, Test, Outsource, and Audit
D.Identify, Protect, Detect, Respond, and Recover
Explanation: DORA Article 6(8) aligns the ICT risk management framework to five capability categories: Identify (risk assessment of ICT assets), Protect (security controls), Detect (monitoring), Respond (incident management), and Recover (business continuity and recovery). This mirrors NIST CSF language and reflects DORA's outcome-based approach.
6According to DORA Article 8, financial entities must identify and document all ICT assets. What is the primary purpose of this asset inventory?
A.To enable accurate ICT risk identification and protection mapping
B.To calculate the total cost of IT ownership
C.To satisfy European Banking Authority (EBA) capital adequacy reporting
D.To prepare the register of information for third-party providers
Explanation: DORA Article 8 requires entities to identify, classify, and document all ICT assets (hardware, software, data) to enable accurate risk identification and the mapping of protection controls to assets. A comprehensive and up-to-date asset inventory is the foundation for all downstream risk management activities under the DORA framework.
7DORA Article 9 addresses protection of ICT systems. Which security principle does DORA require entities to implement for their network connections?
A.Open access with activity logging only
B.Perimeter-only firewall protection
C.Network segmentation and strict access controls
D.Monthly vulnerability scanning without patching obligations
Explanation: DORA Article 9 requires financial entities to implement appropriate ICT security policies, including network segmentation and strict access controls, to minimise the risk of ICT system compromise. Segmentation limits lateral movement in the event of a breach, while strict access controls ensure principle of least privilege is enforced.
8Under DORA Article 11, what must a financial entity's ICT Business Continuity Plan (BCP) specifically address?
A.Alternative procedures and temporary measures to maintain service continuity during disruption
B.The process for outsourcing critical functions to competitor firms
C.Annual fire drills and physical evacuation procedures
D.Capital reserves to compensate customers in the event of ICT failures
Explanation: DORA Article 11 requires ICT business continuity plans to detail alternative procedures, system redundancies, and temporary capacity measures that allow the entity to maintain or quickly restore critical operations during an ICT disruption. The BCP must cover crisis communication, priority recovery sequences, and personnel roles during activation.
9DORA Article 12 sets requirements for ICT backup and recovery. What Recovery Time Objective (RTO) and Recovery Point Objective (RPO) must entities define?
A.A universal RTO of 4 hours and RPO of 24 hours mandated for all entities
B.RTO and RPO determined solely by the entity's ICT third-party service provider
C.RTO within 72 hours and RPO within 1 week for all critical functions
D.Entity-specific RTO and RPO aligned to the criticality of the affected function
Explanation: DORA Article 12 does not mandate fixed numeric RTO/RPO values. Instead, entities must define RTO and RPO targets that are appropriate for and proportionate to the criticality of the ICT systems and functions they support. These targets must then be validated through regular testing of backup and recovery capabilities.
10Which of the following is a mandatory element of a DORA-compliant ICT risk management framework under Article 13 (Learning and Evolving)?
A.Reviews after ICT incidents to incorporate lessons learned and update policies
B.Submission of all ICT incident post-mortems to the European Central Bank
C.Annual publication of the ICT risk framework on the entity's public website
D.Benchmarking ICT controls against at least two competitor institutions
Explanation: DORA Article 13 requires financial entities to implement processes to gather lessons learned from internal ICT incidents and from industry information sharing. This intelligence must feed back into the ICT risk management framework, updating policies, controls, and procedures so that the framework continuously improves.

About the DORA Lead Manager Exam

The PECB Certified DORA Lead Manager certification validates the skills to lead Digital Operational Resilience Act (EU 2022/2554) implementation programmes in financial entities. It covers ICT risk management frameworks, incident management and reporting, digital operational resilience testing (including TLPT), ICT third-party risk management, and governance obligations applicable from 17 January 2025.

Questions

80 scored questions

Time Limit

3 hours

Passing Score

PECB standard passing criteria (typically 70%)

Exam Fee

Included in training course package; contact authorised PECB training providers for pricing (PECB (Professional Evaluation and Certification Board))

DORA Lead Manager Exam Content Outline

~20%

ICT Risk Management and Digital Operational Resilience Fundamentals

DORA scope and definitions (Article 2-3), management body accountability (Article 5), ICT risk management framework structure (Article 6), asset identification (Article 8), protection policies (Article 9), detection (Article 10), BCP (Article 11), backup and recovery (Article 12)

~20%

Preparing and Planning DORA Implementation

Gap assessment methodology, project sequencing, governance structure design, critical or important function (CIF) identification and mapping, proportionality principle, simplified framework eligibility (Article 16), digital operational resilience strategy (Article 6(8))

~20%

ICT Risk and ICT-Related Incident Management

Incident management process (Article 17), seven classification criteria and major incident definition (Article 18), three-report notification sequence with timelines (Article 19), voluntary significant cyber threat notification (Article 21), client notification obligations, post-incident review (Article 15), crisis communication (Article 14)

~20%

Digital Operational Resilience Testing including TLPT

General testing requirements (Article 24), basic testing programme including vulnerability assessments and annual cadence (Article 25), TLPT definition and live-production-system requirement (Article 26), tester qualification and independence requirements (Article 27), TIBER-EU recognition, TLPT scope validation by TLPT authority, remediation plan governance

~10%

ICT Third-Party Risk Management

Integration of third-party risk into ICT risk framework (Article 28), Register of Information, pre-contract due diligence, key contractual provisions including audit rights and TLPT participation (Article 30), concentration risk assessment (Article 29), exit strategies, subcontracting governance, CTPP designation by Joint ESA Committee (Article 31)

~10%

Governance and Oversight

Lead Overseer powers and Joint Examination Teams (Articles 32-40), EBA/ESMA/EIOPA roles, information sharing arrangements (Article 45), administrative penalties (Article 50), annual management body resilience strategy statement (Article 5(8)), continual improvement and lessons learned (Article 13)

How to Pass the DORA Lead Manager Exam

What You Need to Know

  • Passing score: PECB standard passing criteria (typically 70%)
  • Exam length: 80 questions
  • Time limit: 3 hours
  • Exam fee: Included in training course package; contact authorised PECB training providers for pricing

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

DORA Lead Manager Study Tips from Top Performers

1Read the actual DORA regulation text (Regulation EU 2022/2554) — the exam is open-book and you need to navigate it quickly
2Memorise the three incident reporting timelines: 4h (initial), 72h (intermediate), 1 month (final)
3Know the seven major incident classification criteria under Article 18 — meeting any two thresholds makes an incident 'major'
4Understand the difference between basic testing (annual, Article 25) and TLPT (three-yearly, Article 26) and which entities each applies to
5Map Articles 5-15 to the five capabilities: Identify (8), Protect (9), Detect (10), Respond (11,17), Recover (12)
6Know the Register of Information requirement (Article 28) and which contractual provisions are mandatory for critical or important functions

Frequently Asked Questions

What is the PECB DORA Lead Manager exam format?

The PECB Certified DORA Lead Manager exam consists of 80 multiple-choice questions with a 3-hour time limit. It is an open-book exam: candidates may use their training course materials, personal notes, a printed dictionary, and a hard copy of the DORA regulation. The exam can be taken online (proctored) or in paper form at authorised PECB exam venues.

What is DORA and why does it matter?

DORA (Digital Operational Resilience Act, EU Regulation 2022/2554) is an EU regulation that became applicable on 17 January 2025. It establishes uniform ICT risk management, incident reporting, resilience testing, and third-party risk requirements for 20+ categories of financial entities across the EU, including banks, insurers, investment firms, payment institutions, and crypto-asset service providers.

Which DORA domains should I prioritise for the exam?

The six PECB DORA Lead Manager domains are roughly equally weighted. Focus on Articles 5-6 (governance and ICT risk framework), Articles 17-19 (incident management and reporting timelines), Articles 26-27 (TLPT requirements), and Articles 28-30 (third-party risk management and contractual provisions). These are the highest-density areas for both the exam and real-world implementation work.

What are the key DORA incident reporting timelines?

For major ICT incidents, DORA requires three sequential reports: (1) initial notification within 4 hours of classification and no later than 24 hours from detection; (2) intermediate report within 72 hours of the initial notification; and (3) final report within one month of incident closure. Client notification must occur without undue delay when client financial interests are affected.

What is TLPT and who must conduct it under DORA?

Threat-Led Penetration Testing (TLPT) is an intelligence-led red team test of critical live production systems, conducted at least every three years. Competent authorities designate which financial entities must carry out TLPT based on systemic importance and risk profile. TLPT scope must be validated by the TLPT authority before testing begins, and results must be followed by a management-body-approved remediation plan.

How does DORA's proportionality principle affect implementation?

DORA calibrates requirements to entity size and complexity. Microenterprises are exempt from the digital operational resilience testing programme. Smaller entities listed in Article 16(1) may apply a simplified ICT risk management framework. All entities, regardless of size, must implement ICT risk management and incident reporting, but the depth of controls and testing obligations scales with systemic importance and risk profile.