GRC Advanced / DORA & NIS2 Training

The advanced GRC programme for senior compliance officers, risk directors, and board advisers. CPD-certified training covering DORA (Digital Operational Resilience Act), NIS2 Directive, COSO ERM 2017, and enterprise GRC strategy for UK and European organisations.

CPD-Certified · Advanced Level · DORA & NIS2 2026 Updated · Online · Senior Professionals

Start Your AssessmentSee How It Works

What Is DORA and NIS2 Compliance Training?

DORA and NIS2 compliance training is advanced professional development in the EU Digital Operational Resilience Act (DORA) and NIS2 Directive — the two most significant cybersecurity and operational resilience regulatory frameworks affecting UK and European organisations in 2026. Training covers compliance obligations, implementation methodology, and enterprise risk management at board and programme leadership level.

DORA (Digital Operational Resilience Act) became enforceable for EU financial services organisations in January 2025. NIS2 (Network and Information Security Directive 2) entered national law across EU member states in October 2024. Both impose significant new obligations on governance, risk management, operational resilience, third-party risk, and incident reporting — creating an urgent upskilling need for UK organisations operating in or serving EU markets.

This advanced CPD-certified course is designed for senior compliance officers, risk directors, and board advisers who must understand DORA and NIS2 obligations in depth and lead enterprise GRC programmes, manage board-level risk reporting, and oversee third-party risk across complex supply chains.

Advanced GRC Course Curriculum: DORA, NIS2 & Enterprise Risk

The Advanced GRC curriculum covers the most demanding regulatory and governance challenges facing UK and European compliance leaders in 2026:

DORA — Implementation Detail

  • DORA scope: which entities are covered and how to determine applicability
  • ICT risk management framework: Article 6 requirements in full
  • ICT-related incident classification and reporting: timelines and RTS
  • Digital operational resilience testing: vulnerability assessments and TLPT
  • Register of ICT third-party providers: contractual requirements under Articles 28–30

NIS2 — Governance & Implementation

  • NIS2 entity classification: essential vs important across 18 sectors
  • Management body obligations: personal accountability and approval duties
  • Cybersecurity risk management measures: the 10 minimum security measures
  • Incident reporting: 24-hour early warning, 72-hour notification, monthly final
  • Supply chain security and NIS2: assessing ICT suppliers

Enterprise Risk Management

  • COSO ERM 2017: five components and 20 principles
  • Risk strategy and objective-setting: appetite, tolerance, and capacity
  • Portfolio view of risk: aggregation, concentration, and interconnectedness
  • Linking ERM to strategic planning and performance management

Third-Party Risk

  • TPRM framework design: governance, policy, and programme structure
  • Supplier segmentation: criticality tiers and risk appetite
  • Due diligence: questionnaires, audits, certifications, and continuous monitoring
  • DORA ICT concentration risk: identifying and managing systemic third-party exposures

Board Governance

  • Board risk committee structure: terms of reference and reporting
  • Risk appetite statements: quantitative and qualitative formulation
  • Director personal liability under NIS2 and DORA management body obligations
  • GRC programme KPIs: metrics for board reporting on compliance maturity
GRC Essentials Training
ISAE 3402 Training
SOC 1 Training
SOC 2 Training
ISAE 3000 Training
ISO 27001 Training
GRC Advanced / DORA & NIS2 Training
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

What You Will Learn: Advanced GRC Modules

The Advanced GRC course covers six senior-level regulatory, governance, and enterprise risk management competency areas:

Module

What You Will Learn

Module 1: DORA — Digital Operational Resilience Act
Master DORA requirements including ICT risk management frameworks, ICT-related incident reporting, digital operational resilience testing, and third-party ICT provider oversight. Covers UK organisations' DORA exposure through EU market operations.
Module 2: NIS2 Directive — Network and Information Security
Understand NIS2 obligations for essential and important entities across 18 critical sectors — governance requirements, cybersecurity risk management measures, incident reporting timelines, supply chain security, and supervisory powers.
Module 3: COSO ERM 2017 — Enterprise Risk Management
Apply the COSO Enterprise Risk Management 2017 integrated framework — risk appetite articulation, risk culture, portfolio view of risk, and linking risk strategy to performance objectives.
Module 4: Third-Party Risk Management
Design and operate a robust TPRM programme — supplier risk assessment, due diligence, contract requirements, continuous monitoring. Covers DORA's ICT third-party provider requirements and NIS2 supply chain security obligations.
Module 5: Board Governance & Risk Reporting
Develop board-level risk reporting frameworks, governance committee structures, and risk appetite statements. Covers director personal liability under NIS2, DORA management body accountability, and board cybersecurity oversight.
Module 6: Enterprise GRC Programme Design
Design, implement, and mature an enterprise GRC programme — governance framework, risk taxonomy, compliance calendar, control testing programme, and GRC technology selection.

Why Choose GRC Index for Advanced GRC Training?

GRC Index is uniquely positioned to deliver DORA and NIS2 training for UK organisations — combining 8+ years of live GRC assessment expertise with direct knowledge of how DORA and NIS2 interact with ISO 27001, SOC 2, ISAE 3402, and the GRC Index benchmarking framework. No other UK-based CPD-certified training provider delivers a combined DORA + NIS2 + COSO ERM + TPRM programme tailored for UK organisations operating in or serving EU markets — and connects it to an independently assessed GRC Score.

Advantage

Detail

DORA Specialist Coverage
Most complete DORA training available from a UK provider — Articles 6–30 covered in full including RTS requirements
NIS2 UK-Specific Context
NIS2 coverage tailored for UK organisations with EU market exposure — not generic EU-only content
COSO ERM 2017 Integration
Enterprise risk management mapped to the same framework assessed in the GRC Index Risk Management domain
First-Mover Advantage
DORA/NIS2 compliance training is an emerging space — establish authority before competitors build equivalent content
CPD-Certified — 20 Hours
Highest CPD credit in our portfolio — IIA, ACCA, ICAEW, ISACA recognition

Who Should Take Advanced GRC Training?

Advanced GRC training is for experienced professionals operating at senior level in compliance, risk, or governance:

Professional Role

Why This Course Matters

Chief Compliance Officers & Compliance Directors
Lead DORA and NIS2 compliance programmes, manage regulatory relationships, and oversee enterprise-wide compliance governance
Chief Risk Officers & Risk Directors
Apply COSO ERM 2017, manage board risk appetite, and lead third-party risk programmes under DORA and NIS2
Board Members & Non-Executive Directors
Discharge personal governance obligations under NIS2 management body requirements and DORA ICT risk management accountability
Head of Internal Audit
Audit DORA and NIS2 compliance programmes, ICT third-party provider controls, and enterprise GRC programme effectiveness
Information Security Directors & Deputy CISOs
Lead NIS2 cybersecurity risk management and DORA digital operational resilience testing requirements
GRC Programme Managers
Design and mature enterprise GRC programmes, manage multiple regulatory frameworks, and deliver board-level GRC reporting

Frequently Asked Questions: DORA & NIS2 Training

What is DORA compliance training?

+

DORA compliance training is professional development in the EU Digital Operational Resilience Act (DORA) — enforceable for EU financial services entities from January 2025. It covers ICT risk management framework requirements, incident reporting obligations, digital operational resilience testing, and ICT third-party provider oversight under Articles 6–30.

Who does DORA apply to in the UK?

+

DORA applies directly to financial services entities established in the EU — credit institutions, payment institutions, investment firms, and insurance undertakings. UK organisations are affected if they operate EU branches, serve EU-regulated clients, or provide ICT services to EU financial services entities. UK domestic DORA-equivalent regulation is under development by the FCA and PRA.

What is NIS2 and who does it apply to?

+

NIS2 (Network and Information Security Directive 2) is the EU cybersecurity directive applicable to essential and important entities in 18 critical sectors including energy, transport, finance, health, digital infrastructure, and digital service providers. UK organisations with EU operations, subsidiaries, or services to EU essential entities fall within NIS2 scope.

What is the difference between DORA and NIS2?

+

DORA focuses specifically on digital operational resilience in financial services — ICT risk management, resilience testing, and ICT third-party provider oversight. NIS2 is a broader cybersecurity governance directive applying to critical sectors beyond finance. Both impose incident reporting and supply chain security requirements, but to different entity types.

How does DORA relate to ISO 27001?

+

ISO 27001 implementation provides substantial evidence for DORA ICT risk management obligations (Articles 6–8). DORA additionally requires financial entities to conduct resilience testing beyond standard ISO 27001 scope — threat-led penetration testing and scenario-based testing. GRC Index Advanced training covers how to leverage ISO 27001 evidence for DORA and where additional controls are required.

Is DORA and NIS2 training available online in the UK?

+

Yes. GRC Index Advanced GRC Training covering DORA and NIS2 is fully online and CPD-certified. It is the only UK CPD-certified programme combining DORA, NIS2, COSO ERM, and TPRM within a single advanced curriculum. Available as self-paced or instructor-led cohort delivery.

GRC Essentials Training
ISAE 3402 Training
SOC 1 Training
SOC 2 Training
ISAE 3000 Training
ISO 27001 Training
GRC Advanced / DORA & NIS2 Training
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Quick Links

HomeAbout UsHow It WorksStart AssessmentContact

Contact Us

info@grci.net

(+44) 203 1264430

63-66 Hatton Garden, EC1N 8LE London, UK.

Start Your Assessment

© 2025 GRC Index. All rights reserved.