Quiz
Chapter 33: Cybersecurity Regulations — DORA, NIST, and Operational Resilience
Instructions: Select the best answer for each question. An answer key with explanations appears at the end of the quiz. Questions are arranged from foundational to applied.
Question 1
DORA (Digital Operational Resilience Act, EU 2022/2554) became applicable to financial entities from which date?
A) 16 January 2023 — the date the regulation entered into force B) 17 January 2025 — the date of application following the 24-month implementation period C) 31 March 2025 — the FCA's equivalent resilience deadline D) 1 January 2024 — the date the European Banking Authority published its first DORA technical standards
Question 2
Under DORA Article 19, when does the 4-hour clock for the initial major incident notification to the National Competent Authority begin?
A) At the moment the ICT incident is first detected by the firm's monitoring systems B) When the firm's CISO formally notifies the Chief Compliance Officer of the incident C) At the moment the firm classifies the incident as a major ICT incident under DORA's criteria (with an outside limit of 24 hours from first detection) D) When the firm's Board is formally briefed on the incident
Question 3
A UK financial institution discovers at 09:00 on a Tuesday that customer personal data has been exposed due to a misconfigured cloud storage bucket. At what time must the ICO receive a GDPR Article 33 breach notification, assuming the breach poses a risk to the rights and freedoms of data subjects?
A) By 09:00 on Wednesday (24 hours after discovery) B) By 09:00 on Thursday (48 hours after discovery) C) By 09:00 on Friday (72 hours after discovery) D) By 09:00 the following Monday (the next business day after 72 hours)
Question 4
Under FCA Principle 11 (PRIN 11), when must a firm notify the FCA of a material cyber incident that has caused significant disruption to customer services?
A) Within 24 hours, using the FCA's SUP 15 prescribed notification form B) Within 72 hours in writing, addressed to the firm's named supervisory contact C) As soon as the firm becomes aware that the incident is material — typically within hours, not days; the FCA does not prescribe a fixed deadline but expects prompt disclosure D) Within one business day of the incident being fully resolved and root cause confirmed
Question 5
TLPT (Threat-Led Penetration Testing) under DORA is primarily distinguished from conventional penetration testing by which characteristic?
A) It is conducted by the firm's internal IT security team rather than external consultants B) It is based on live threat intelligence specific to the financial sector and simulates the tactics, techniques, and procedures of realistic threat actors — not generic penetration test scripts C) It focuses exclusively on testing the firm's mobile banking applications rather than core infrastructure D) It must be conducted monthly rather than annually to satisfy DORA requirements
Question 6
Under DORA's framework for ICT third-party providers, what is the primary concern that the Critical Third-Party Provider (CTPP) oversight regime addresses?
A) The risk that an ICT vendor will file for bankruptcy and cease operations without notice B) Concentration risk — the risk that a single ICT provider serves such a large proportion of the EU financial sector that its failure or disruption could cause systemic operational risk across multiple regulated institutions simultaneously C) The risk that ICT vendors will overcharge regulated firms for cloud services during periods of high demand D) The risk that ICT vendors will share proprietary trading data between competing financial institution clients
Question 7
Which of the following correctly identifies all six core functions of NIST Cybersecurity Framework 2.0 (published February 2024)?
A) Identify, Protect, Detect, Respond, Recover, Test B) Govern, Assess, Protect, Monitor, Respond, Remediate C) Govern, Identify, Protect, Detect, Respond, Recover D) Plan, Identify, Protect, Detect, Respond, Recover
Question 8
In the context of the FCA/PRA operational resilience framework (PS21/3, SS1/21), what does the term "impact tolerance" mean?
A) The maximum financial loss a firm can absorb from a single cyber incident before becoming insolvent B) The maximum tolerable level of disruption to an important business service, expressed in time and customer harm metrics, beyond which the firm accepts that harm to customers and markets is unacceptable C) The percentage of IT systems that may fail simultaneously without triggering FCA regulatory notification D) A firm's cyber insurance deductible — the loss it must absorb before insurance coverage activates
Question 9
Which of the following most accurately describes the relationship between the UK FCA/PRA operational resilience framework (PS21/3) and DORA?
A) They are identical frameworks — the FCA simply adopted DORA by reference after the Brexit transitional period ended B) They are parallel but distinct frameworks sharing the same underlying policy logic (firms must remain within defined tolerance for disruption to critical services), but with different scope, notification requirements, testing standards, and deadlines; a firm with both UK and EU operations must comply with both independently C) DORA supersedes the FCA framework for UK firms with EU operations; such firms need only comply with the more stringent DORA requirements D) The FCA framework applies to cyber incidents only; DORA applies to all operational risk events regardless of whether they are technology-related
Question 10
DORA Article 5 imposes specific obligations on the "management body" of a financial entity in relation to ICT risk. Which of the following most accurately describes these obligations?
A) The management body must appoint a Chief Information Security Officer and delegate all ICT risk decisions to that individual B) The management body must approve and regularly review the ICT risk management framework, allocate sufficient budget for ICT, remain informed about ICT incidents, and develop sufficient collective knowledge and skills on ICT risk to meaningfully evaluate and challenge ICT risk matters C) The management body must personally conduct annual penetration testing of the firm's critical systems D) The management body must ensure that the firm's IT department is separate from all business units and reports directly to the Board without management intermediary
Question 11
Under DORA's Regulatory Technical Standards on major incident classification, which combination of factors would most clearly qualify an ICT incident as a "major incident" requiring notification?
A) A 15-minute outage of an internal HR system affecting only staff, caused by a routine software update B) A ransomware attack that disables payment processing systems, affects 25,000 retail customers, involves potential data exfiltration, and has been ongoing for 6 hours C) A DDoS attack on the firm's public website that causes the website to be unavailable for 3 hours but does not affect core banking or customer-facing transaction systems D) A phishing email campaign targeting staff that results in two employees clicking malicious links before the firm's email security system quarantines further messages
Question 12
What is the key operational distinction between business continuity planning (BCP) and disaster recovery planning (DRP)?
A) Business continuity planning covers cyber incidents only; disaster recovery planning covers physical disasters such as floods and fires B) Business continuity planning focuses on maintaining or rapidly resuming critical business services during a disruption (the "what" — keeping the business running); disaster recovery planning focuses on restoring the technology systems and data that those services depend on (the "how" — recovering the IT infrastructure) C) Business continuity planning is required by regulators; disaster recovery planning is voluntary best practice D) They are interchangeable terms for the same process; any distinction between them is semantic only
Question 13
During a live ransomware incident at a dual-regulated UK bank, the cybersecurity team insists that all regulatory notifications must wait until the root cause is confirmed and the incident is fully contained. The compliance team believes notifications must begin immediately. Which position is correct, and why?
A) The cybersecurity team is correct — regulatory notifications must be based on confirmed facts; premature notification based on incomplete information could mislead regulators and create additional liability B) The compliance team is correct — DORA, GDPR, and FCA PRIN 11 all require notification based on awareness and classification, not on complete investigation; waiting for root cause confirmation would breach notification deadlines for all three frameworks, and regulatory notifications may be updated as information develops C) Neither team is entirely correct — the firm should notify only after getting external legal counsel approval, which typically takes 48 to 72 hours for significant incidents D) The cybersecurity team is correct for DORA purposes, but the compliance team is correct for GDPR purposes only
Answer Key
| Q | Answer | Brief Explanation |
|---|---|---|
| 1 | B | DORA entered into force on 16 January 2023 but the 24-month implementation period meant it became applicable on 17 January 2025. The 31 March 2025 date is the FCA's operational resilience "remain within tolerance" deadline — a separate UK requirement. |
| 2 | C | DORA Article 19 is precise: the 4-hour clock starts at classification as a major incident, not at detection. The 24-hour outside limit prevents firms from delaying classification indefinitely to avoid the notification obligation. Firms must assess severity promptly upon detection. |
| 3 | C | UK GDPR Article 33 requires notification to the ICO within 72 hours of becoming aware of the breach (where it poses a risk to data subjects). 09:00 Tuesday + 72 hours = 09:00 Friday. Weekends do not extend the deadline. If the 72-hour period elapses, the notification should be filed immediately with an explanation of the delay. |
| 4 | C | FCA PRIN 11 requires open and cooperative dealing and prompt disclosure of matters the FCA would reasonably expect notice of. The FCA does not prescribe a fixed numerical deadline for cyber incident notification in the way DORA does, but its supervisory expectations (communicated through Dear CEO letters and supervisory guidance) are clear: material incidents should be notified promptly — in hours, not days. |
| 5 | B | TLPT (based on the TIBER-EU methodology) is distinguished from conventional penetration testing by its intelligence-led approach: it uses live, current threat intelligence about the specific tactics and techniques of real threat actors targeting the financial sector, and simulates realistic attacks on the firm's critical live production systems — not on test environments. This makes it significantly more operationally meaningful than standard penetration tests. |
| 6 | B | The CTPP regime directly addresses concentration risk. If a single cloud provider or technology vendor serves 40–50% of EU financial institutions, its failure could cascade across the entire financial system. The regime allows EU supervisors to designate such providers as CTPPs and subject them to direct regulatory oversight, even though DORA's primary obligations fall on the regulated financial entities. |
| 7 | C | NIST CSF 2.0 (February 2024) comprises six functions: Govern (new), Identify, Protect, Detect, Respond, and Recover. The original five-function framework (NIST CSF 1.1) did not include Govern. The addition reflects regulatory consensus that cybersecurity is a governance matter requiring Board accountability — consistent with DORA Article 5 and the SM&CR. |
| 8 | B | Impact tolerance is the FCA/PRA's mechanism for converting resilience into a testable regulatory commitment. Expressed in maximum disruption duration and customer harm metrics, it defines the point beyond which disruption becomes unacceptable. Firms must be able to demonstrate they can remain within their stated tolerances during severe but plausible disruption scenarios, including cyber attacks. |
| 9 | B | The UK and EU frameworks share the same foundational policy logic but are entirely separate legal regimes. A UK firm with an EU-regulated subsidiary must comply with both: the FCA/PRA framework for its UK operations and DORA for its EU operations. There is no formal mutual recognition or equivalence decision that allows compliance with one to satisfy the other. |
| 10 | B | DORA Article 5 creates enforceable Board-level accountability for ICT risk — one of the regulation's most significant governance innovations. The management body cannot simply delegate ICT risk to the CISO and disengage. It must approve the ICT risk management framework, receive regular reporting on ICT risk, understand incidents, and develop sufficient collective knowledge to exercise meaningful oversight. This is a compliance obligation, not aspirational guidance. |
| 11 | B | DORA's RTS on classification specifies that a major incident is determined by multiple criteria including: number of clients affected; impact on critical or important functions; duration; geographic spread; data loss; financial impact; and reputational damage. A ransomware attack disabling payment processing for 25,000 customers over 6 hours, with potential data exfiltration, satisfies multiple criteria simultaneously. The other options describe incidents falling clearly below the major incident threshold. |
| 12 | B | Business continuity planning (BCP) is concerned with the continuity of the business and its services during a disruption — manual workarounds, alternative processes, staff deployment, customer communication. Disaster recovery planning (DRP) is concerned with restoring the technical infrastructure — systems, data, networks — that the business depends on. Both are required under DORA, the FCA operational resilience framework, and sound governance practice, and they must be tested together to be meaningful. |
| 13 | B | The compliance team is correct. DORA's initial notification must be filed within 4 hours of major incident classification — not after root cause confirmation. UK GDPR's 72-hour ICO notification clock runs from the moment the controller becomes aware of the breach. FCA PRIN 11 requires prompt notification based on current knowledge. All three frameworks explicitly contemplate that initial notifications will be based on incomplete information and require updated reports as the picture develops. Waiting for complete certainty would breach all three notification regimes simultaneously. |