DORA: Security Awareness and Training Requirements

Sarah Mitchell··6 min read
Financial services professionals reviewing digital operational resilience requirements in a meeting

When financial firms talk about the EU's Digital Operational Resilience Act, the conversation usually centers on ICT risk management frameworks, incident reporting timelines, and resilience testing. Those pillars get the headlines. But buried in the same regulation is an obligation that touches every single employee, and one that supervisors can ask you to evidence: security awareness training.

DORA, formally Regulation (EU) 2022/2554, has applied to financial entities across the European Union since 17 January 2025. It is not a directive that each member state translates differently, it is a regulation with direct effect, which means the same baseline expectations apply across the bloc. And among those expectations, the human layer is not optional. This article focuses on the awareness, training, and third-party dimensions of DORA, the parts that intersect most directly with a security awareness program, and deliberately stays distinct from the separate NIS2 regime.

Who DORA Applies To

DORA's scope is broad. It covers roughly twenty different types of financial entities, banks, insurance and reinsurance undertakings, investment firms, payment and electronic-money institutions, crypto-asset service providers, and more. If your organization operates in EU financial services, the presumption should be that DORA applies to you.

Crucially, the regulation reaches beyond financial firms themselves. It also extends to the ICT third-party service providers those firms depend on, including a dedicated oversight framework for providers designated as critical. In other words, the technology vendors, cloud platforms, and managed service providers that underpin the financial sector are pulled into scope through their relationships with the entities they serve. Operational resilience is treated as a shared responsibility across the whole chain.

The Awareness and Training Obligation

This is where DORA becomes directly relevant to security awareness practitioners. The regulation does not leave staff training to best-effort discretion. Under its ICT risk management provisions, financial entities are required to develop ICT security awareness programmes and digital operational resilience training as compulsory modules in their staff training schemes. Two words in that requirement carry real weight: compulsory, and modules.

Several specific expectations follow from the text of the regulation:

  • It applies to everyone. The programmes must reach all employees, and the level of complexity should be commensurate with the responsibilities of each role.
  • Senior management is explicitly included. Training is not just for frontline staff. Senior management is named within scope of the awareness programmes.
  • The management body must stay current. Members of the management body are expected to actively maintain sufficient knowledge to understand and assess ICT risk, including by following specific training on a regular basis, commensurate with the risk being managed.
  • Resourcing is a board responsibility. The management body is responsible for allocating and periodically reviewing an appropriate budget for the entity's digital operational resilience needs, which includes these awareness and training programmes.

DORA reframes security awareness from a nice-to-have into a board-level, compulsory part of operational resilience, with the management body on the hook for funding it and for understanding ICT risk themselves.

The practical implication is that an annual, lightly-attended e-learning module is unlikely to satisfy the spirit of the requirement. Supervisors will reasonably expect a structured, role-appropriate programme that genuinely builds the workforce's ability to recognize and resist ICT threats, and that the board can show it understands and funds.

The Third-Party Dimension

DORA's treatment of third-party risk is one of its defining features, and it connects back to training in a way that is easy to miss. The regulation contemplates that, where appropriate, financial entities should also include their ICT third-party service providers in relevant training schemes. Operational resilience is only as strong as the weakest link in the supply chain, and that includes the people at your providers who touch your systems and data.

For the broader third-party risk obligations, financial entities are expected to maintain oversight of the ICT services they rely on, with appropriate contractual arrangements and monitoring. The takeaway for an awareness program is straightforward: vendor risk is your risk. Extending awareness expectations into your supplier relationships, and being able to show you have done so, is consistent with how DORA approaches the ecosystem as a whole.

This matters because the social-engineering attacks that awareness training defends against do not respect organizational boundaries. A phishing email that compromises a help-desk contractor at one of your ICT providers can become a pathway into your own environment, regardless of how well your internal staff are trained. DORA's instinct to treat resilience as a chain-wide responsibility reflects that reality. For practitioners, it is a prompt to ask a question many programs overlook: do the people at our critical providers who handle our data receive awareness training of a standard we would accept internally, and can either party demonstrate it? Building that expectation into vendor due diligence and contracts closes a gap that purely internal training leaves wide open.

How to Evidence Compliance

Under DORA, the supervisory posture is firmly toward demonstrable, documented controls rather than verbal assurances. National competent authorities supervise financial entities, coordinated at EU level by the European Supervisory Authorities, the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Markets Authority, with a Lead Overseer framework for critical ICT third-party providers. When they ask about your awareness programme, you will need records, not recollections.

Authoritative guidance for the insurance and pensions sector is published by EIOPA, and the corresponding banking and securities authorities maintain their own DORA resources. To stand up to that scrutiny, build your evidence trail deliberately:

  1. Maintain completion records. Keep dated proof of who completed which training module, mapped to roles, including senior management and the board.
  2. Document the curriculum and its cadence. Show that training is structured, role-appropriate, refreshed over time, and updated to reflect current ICT threats.
  3. Capture phishing simulation results. Click rates, report rates, and the remedial training that follows demonstrate that the programme measurably builds resilience, not just attendance.
  4. Record board engagement. Document the specific training the management body undertakes and evidence that an appropriate budget is allocated and reviewed.
  5. Extend the trail to third parties. Where you include providers in training or set awareness expectations contractually, keep that documentation alongside the rest.

This is precisely the kind of audit-ready trail empowsec is built to produce. Security awareness training and phishing simulation generate dated completion records, behavioral metrics, and reporting that map cleanly to DORA's documentation expectations, so the human layer of your resilience programme is not just delivered, but provable. As always, treat regulatory guidance as the source of truth and consult qualified compliance counsel for your specific obligations.

Key Takeaways

  • DORA has applied since 17 January 2025 and reaches around twenty types of financial entities plus their ICT third-party providers across the EU.
  • Awareness training is compulsory. ICT security awareness programmes and resilience training must be built into staff schemes for all employees and senior management.
  • The board is accountable. The management body must maintain its own ICT risk knowledge and allocate budget for the programme.
  • Third-party risk is in scope. Where appropriate, extend training and awareness expectations to the ICT providers you depend on.
  • Evidence is everything. Keep dated completion records, document curriculum and cadence, capture simulation results, and record board engagement to satisfy supervisors.
Share: