Contact us: +45 32 67 26 26
English

A Quick Guide To DORA And Its Security Training Requirements

Sarah Hofmann
By: Sarah Hofmann Cyber Security | 30 August

DORA is a new EU regulation that aims to increase the IT security of the financial sector, e.g., banks, insurance companies, and investment firms.

A part of the DORA requirements is training, which must be given to everyone in the organisation. 

In this post, we give you a short summary of DORA and how to implement the security training requirements. 

What is DORA? 

DORA  (which stands for Digital Operational Resilience Act) is a new EU regulation that comes into effect on January 17 2025. It applies to the financial sector and aims to increase the IT security of, e.g., banks, insurance companies, and investment firms.

The main requirements in DORA:

DORA requires that financial and ICT providers use new IT security standards related to: 

  • ICT risk management and governance
  • Incident response and reporting
  • Digital operational resilience testing
  • Third-party risk management

 

The training requirements in DORA

The training requirements in DORA are primarily related to the "Digital operational resilience testing" objective.

DORA requires two different types of training for all employees and senior management.

  • Security awareness training
  • Digital operational resilience training

DORA also says that every employee should be trained to a level relevant to their role.

DORA doesn’t specify exactly what kind of training is enough for which employees. So, it’s up to each organisation to interpret for themselves exactly how much training of what kind each employee needs. 

But, upper level management need to know enough about security risks and risk management measures to oversee their organisation's DORA work. This is one example of an employee who needs a higher level of training. 

We'll break down the two types of training next. 

Security awareness training in DORA

With DORA, organisations are required to create a security awareness training program. Essentially, it says that all employees need to receive general security awareness training. Additionally, organisations should provide specialized training for specific employees on more complex, role based topics.

General, role-based training for all

The training should be relevant for each employee. For instance, the accounting team could need more training on phishing, while the customer relations team could need more training on what to be aware of when working outside of the traditional office.

Specialized, in-depth training for some

For other roles, like senior leadership, more training could be needed. The management body bears the ultimate responsibility for the implementation of DORA within their organisation. To comfortably do this, employees senior leadership positions could need training on, for example:

  • The legal side of DORA and the requirements it puts on leadership

  • Risk and vulnerability assessments

  • Incident response, business continuity, and disaster recovery

  • Crisis management

  • Application and infrastructure testing

  • Physical testing

  • Supply chain security

This training could be done with employee workshops, scenario-based training, e-learning, or whatever method the orgnaisation prefers.

Digital operational resilience training in DORA

Digital operational resilience is all about building, testing, and improving an organisation’s security resilience. DORA does not specifically say what training on digital operational resilience should include. Again, it’s completely up to the organisation to determine the right level of training for them, based on their risk profile.

Some aspects of the digital operational resilience training could be covered in the role-specific training (above), e.g., leadership training on topics like risk and crisis management. It can also be done through application, infrastructure, and physical testing of IT systems. 

This training could be done with employee workshops, scenario-based training, e-learning, or whatever method you prefer.

Phishing simulations are another way to test an organisation's digital resilience. Phishing training gives an organisation inight into how they would perform in a phishing attack and gives them areas to focus on for improvement. These insights contribute to doing a thorough risk analysis/vulnerability assessment, which is an essential part of working with DORA.

How CyberPilot can help you meet DORA's training requirements

Awareness training

CyberPilot’s awareness training will you organisation the core foundation (and majority of content) that is needed to meet the training requirements, by providing security awareness courses that can be distributed in a role-based training plan. You can see our full catalogue of courses here (and we publish something new every other month). 

Our existing course catalogue has 30+ courses on IT security risks, how to handle them, and good digital practices. These courses can be given to all employees in the organisation in order to raise awareness and encourage good digital habits. Specific learning paths can be easily created to tailor the training to different roles, as DORA requires. 

Again, it's completely up to you to determine the level and extent of supplemental and role-based training given to employees in specific roles.

 

A woman trying free awareness courses on her computer

Phishing training

We also recommend pairing awareness training with phishing training. With phishing training, an organisation can test their digital operational resilience (in relation to phishing attacks). This not only improves an organisation’s security, but it contributes to meeting DORA’s requirements. With our spear phishing training, it’s possible for our customers to tailor these training events to different employee groups..

To comply with DORA's “operational resilience training” requirement, our phishing training can give you insights into and improve  your organisation's resilience to phishing attacks.

 

In conclusion

By using a combination of awareness training and phishing training, you'll be most of the way towards complying with DORA's training requirements. There's a little extra work to do around in-depth specialized training and digital operational resilience testing. You'll have to decide what training is right for you based on your specific risk profile.

You can read more about DORA here.