Dejan KosuticThe DORA regulation is very specific when it comes to training and awareness requirements — and this is not only for financial organizations, but also for the IT companies that supply their services to financial entities.
This article specifies what those DORA requirements are, and suggests how to organize effective training and awareness according to this EU regulation.
DORA requires cybersecurity training and awareness for financial organizations, but also for their IT suppliers. The best way to organize such training and awareness is to cover each relevant DORA requirement with particular lessons.
Training and awareness requirements for financial organizations
To start, what exactly does DORA require? There are several articles in DORA that prescribe training and awareness for financial organizations:
- Article 5(2) g) requires organization-wide training and awareness: management bodies of financial entities must “allocate and periodically review the appropriate budget to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training referred to in Article 13(6), and ICT skills for all staff.”
- Article 5(4) requires training and awareness for senior management: “members of the management body of the financial entity shall actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, including by following specific training on a regular basis, commensurate to the ICT risk being managed.”
- Article 13(6) requires training and awareness for both senior management, and all the employees — financial entities must “develop ICT security awareness programmes and digital operational resilience training as compulsory modules in their staff training schemes. Those programmes and training shall be applicable to all employees and to senior management staff, and shall have a level of complexity commensurate to the remit of their functions.”
- Article 16(1) point (h) requires training and awareness as a consequence of testing and incidents: “implement, as appropriate, relevant operational conclusions resulting from the tests referred to in point (g) and from post-incident analysis into the ICT risk assessment process and develop, according to needs and ICT risk profile, ICT security awareness programmes and digital operational resilience training for staff and management.”
- Article 19 (b) in “CDR 2024-1774 Technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework” requires the whole staff of financial organizations to be informed about security documentation, reporting channels for anomalous behavior, and returning all the assets upon termination of employment.
- Article 28 in “CDR 2024-1774 Technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework” requires the organization, as part of simplified ICT risk management, to allocate and review “at least once a year the budget necessary to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training and ICT skills for all staff.”
Training and awareness requirements for IT suppliers
As mentioned earlier, DORA specifies that ICT suppliers of financial organizations also need to go for training and awareness — basically, this training needs to be arranged by the financial organization:
- Article 13(6) says that “where appropriate, financial entities shall also include ICT third-party service providers in their relevant training schemes in accordance with Article 30(2), point (i).”
- Article 30(2) point (i) goes a step further and says that “the contractual arrangements on the use of ICT services shall include at least the following elements: … the conditions for the participation of ICT third-party service providers in the financial entities’ ICT security awareness programmes and digital operational resilience training in accordance with Article 13(6).”
- Article 19 (b), in “CDR 2024-1774 Technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework” similarly to the requirement listed for financial organizations, requires the whole staff of ICT third-party service providers to be informed about security documentation, reporting channels for anomalous behavior, and returning all the assets upon termination of employment.
Which topics should be covered in DORA training & awareness?
When defining topics for training and awareness, the best approach is to go through each DORA article and determine which of them need to be covered with training or awareness.
However, since different DORA requirements are relevant to different employees, the best approach is to group employees and define which articles, i.e., topics, are the best suited for them.
In general, you could go with the following groups:
- Topics for senior management
- Topics for security managers
- Topics for mid-level management
- Topics for IT employees
- Topics for all other employees
- Topics for IT service providers
In the table below, you can see how to map DORA requirements (and requirements of some Commission Delegated Regulations) to particular target groups.
| Senior management | Security managers | Mid-level management | IT employees | All other employees | IT service providers | |
| What is the DORA regulation? (all relevant DORA articles) | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| What are the main requirements specified in DORA? (all relevant DORA articles) | ✓ | ✓ | ✓ | |||
| What are DORA Commission Delegated Regulations? (all published CDRs) | ✓ | ✓ | ✓ | |||
| DORA implementation steps (all relevant DORA articles) | ✓ | ✓ | ||||
| Which IT providers need to comply with DORA? | ✓ | ✓ | ✓ | ✓ | ||
| What must ICT service providers comply with? (Articles 28, 30, 31, 33, 35, 37, 39, 42, and 43) | ✓ | ✓ | ✓ | |||
| Why should ICT suppliers go for ISO 27001 and ISO 22301 because of DORA? | ✓ | ✓ | ||||
| Relationship between ISO 27001, ISO 22301, and DORA | ✓ | ✓ | ||||
| DORA vs. NIS 2 vs. GDPR vs. CER | ✓ | ✓ | ✓ | ✓ | ||
| Governance responsibilities for senior management (Article 5) | ✓ | ✓ | ✓ | |||
| Key elements of an ICT risk management framework (Article 6; CDR 2024/1774 Articles 2 and 3) | ✓ | ✓ | ✓ | |||
| Basic concepts of risk assessment and treatment (Article 8; CDR 2024/1774 Articles 3 and 31) | ✓ | ✓ | ||||
| Review of the ICT risk management framework (Article 6 paragraph 5; CDR 2024/1774 Article 27) | ✓ | ✓ | ✓ | |||
| Internal audit of the ICT risk management framework (Article 6 paragraph 6) | ✓ | ✓ | ✓ | |||
| Follow-up and corrective actions (Article 6 paragraph 7; Article 13 paragraph 3 and 5; Article 17 paragraph 2) | ✓ | ✓ | ✓ | |||
| Defining the digital operational resilience strategy (Article 6 paragraph 8) | ✓ | ✓ | ✓ | |||
| Encryption and cryptography (Article 7; CDR 2024/1774 Articles 6 and 7) | ✓ | ✓ | ✓ | |||
| Identifying ICT-supported business functions, roles and responsibilities, and assets (Article 8; CDR 2024/1774 Articles 4 and 5) | ✓ | ✓ | ✓ | |||
| Measurement, monitoring, and controlling the ICT systems (Article 9 paragraph 1; Article 13 paragraph 4; Article 16 paragraph 1; CDR 2024/1774 Articles 2, 3, 8, 31) | ✓ | ✓ | ✓ | |||
| Policies and procedures for ICT operations security (Article 9 paragraph 2; CDR 2024/1774 Article 8) | ✓ | ✓ | ✓ | |||
| Capacity and performance management (Article 9 paragraph 2; CDR 2024/1774 Article 9) | ✓ | ✓ | ✓ | |||
| Data and system security (Article 9 paragraph 2; CDR 2024/1774 Article 11) | ✓ | ✓ | ✓ | |||
| Logging procedures, protocols, and tools (Article 9 paragraph 2; CDR 2024/1774 Article 12) | ✓ | ✓ | ✓ | |||
| Physical and environmental security (Article 9 paragraph 2; CDR 2024/1774 Article 18) | ✓ | ✓ | ✓ | |||
| Organizing human resources security (Article 9 paragraph 2) | ✓ | ✓ | ✓ | |||
| Human resources policy (Article 9 paragraph 2; CDR 2024/1774 Article 19) | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Secure communications – secure transfer/transit of data (Article 9 paragraph 3 point a; CDR 2024/1774 Article 14) | ✓ | ✓ | ✓ | |||
| Handling the risk of data corruption (Article 9 paragraph 3 point b) | ✓ | ✓ | ✓ | |||
| Handling risks arising from data management (Article 9 paragraph 3 point d) | ✓ | ✓ | ✓ | ✓ | ||
| Developing a top-level information security policy (Article 9 paragraph 4 point a) | ✓ | ✓ | ✓ | ✓ | ✓ | |
| Establishing network and infrastructure management structure (Article 9 paragraph 4 point b; CDR 2024/1774 Article 13) | ✓ | ✓ | ✓ | |||
| Policies for limiting physical and logical access (Article 9 paragraph 4 point c; CDR 2024/1774 Article 21) | ✓ | ✓ | ✓ | ✓ | ||
| Identity management and strong authentication mechanisms (Article 9 paragraph 4 point d; CDR 2024/1774 Article 20) | ✓ | ✓ | ✓ | |||
| ICT project management (CDR 2024/1774 Article 15) | ✓ | ✓ | ✓ | ✓ | ||
| ICT change management (Article 9 paragraph 4 point e; CDR 2024/1774 Article 17) | ✓ | ✓ | ✓ | ✓ | ||
| Vulnerability, patch management, and updates (Article 9 paragraph 4 point f; CDR 2024/1774 Article 10) | ✓ | ✓ | ✓ | |||
| ICT systems acquisition, development, and maintenance (CDR 2024/1774 Article 16) | ✓ | ✓ | ✓ | ✓ | ||
| Mechanisms to promptly detect anomalous activities (Article 10; CDR 2024/1774 Article 23) | ✓ | ✓ | ✓ | ✓ | ||
| Implementing an ICT business continuity policy (Article 11 paragraphs 1, 2, and 4; Article 9 paragraph 2; CDR 2024/1774 Article 24) | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Implementing ICT response and recovery plans (Article 11 paragraph 3; CDR 2024/1774 Article 26) | ✓ | ✓ | ✓ | ✓ | ||
| Business impact analysis, RTO, and RPO (Article 11 paragraph 5; Article 12 paragraph 6) | ✓ | ✓ | ||||
| Testing business continuity and recovery plans (Article 11 paragraph 6; CDR 2024/1774 Article 25) | ✓ | ✓ | ✓ | ✓ | ✓ | |
| Crisis management and crisis communication plans (Article 11 paragraph 7; Article 14) | ✓ | ✓ | ✓ | |||
| Emergency communications (Article 11 paragraph 7; Article 14) | ✓ | ✓ | ✓ | ✓ | ||
| Managing backup and restoration (Article 12 paragraphs 1, 2, 3, and 7) | ✓ | ✓ | ✓ | |||
| Secondary processing site (Article 12 paragraphs 4 and 5) | ✓ | ✓ | ✓ | |||
| Threat intelligence (Article 13 paragraph 1) | ✓ | ✓ | ✓ | |||
| Post-incident reviews (Article 13 paragraph 2) | ✓ | ✓ | ✓ | |||
| Organizing security training and awareness (Article 13 paragraph 6) | ✓ | ✓ | ✓ | ✓ | ||
| Monitoring technological developments (Article 13 paragraph 7) | ✓ | ✓ | ||||
| Main elements of the simplified ICT risk management framework (Article 16; CDR 2024/1774 Title III) | ✓ | ✓ | ✓ | ✓ | ||
| Main elements of the incident management process (Article 17; CDR 2024/1774 Article 22) | ✓ | ✓ | ✓ | ✓ | ||
| Classification of ICT incidents and threats (Article 18; CDR 2024/1772 Articles 1 to 10) | ✓ | ✓ | ✓ | |||
| Reporting of major incidents and cyber threats (Article 19) | ✓ | ✓ | ||||
| Main elements of digital operational resilience testing (Article 24) | ✓ | ✓ | ✓ | |||
| Resilience testing of ICT tools and systems (Article 25) | ✓ | ✓ | ✓ | |||
| Key elements of Threat-Led Penetration Testing – TLPT (Articles 26 and 27) | ✓ | ✓ | ✓ | |||
| Main elements of management of ICT third-party risk (Article 28; CDR 2024/1773 Articles 1 to 4) | ✓ | ✓ | ✓ | ✓ | ||
| Monitoring, inspection, and audit of the ICT third-party service provider (Article 28 paragraph 6; Article 30 paragraph 3 points a and e; CDR 2024/1773 Article 9) | ✓ | ✓ | ✓ | |||
| Exit strategies for ICT services (Article 28 paragraph 8; CDR 2024/1773 Article 10) | ✓ | ✓ | ✓ | ✓ | ||
| Assessment of risks of ICT service providers (Article 29; CDR 2024/1773 Articles 5, 6, and 7) | ✓ | ✓ | ✓ | ✓ | ||
| Clauses to be included in contracts with ICT service providers (Article 30; CDR 2024/1773 Article 8) | ✓ | ✓ | ✓ | |||
| Who are critical ICT service providers? (Article 31; CDR 2024/1502 Articles 2, 3, 4, 5, and 6) | ✓ | ✓ | ✓ | |||
| The roles of Lead Overseer and competent authorities for critical ICT service providers (Articles 33, 35, 36, 37, 38, 39, 42, and 43) | ✓ | ✓ | ||||
| Penalties and fines (Articles 50, 51, and 54) | ✓ | ✓ | ✓ | ✓ |
Security awareness topics for all employees
When it comes to awareness, DORA’s articles 5, 13, 16, and 30 require ICT security awareness programs for all employees — not only for financial entities, but also for ICT service providers.
Since DORA did not specify what the content of such awareness programs should be, below you will find a list of suggested topics that could be suitable for a company-wide cybersecurity awareness program:
- Basic cyber hygiene practices
- Backup basics
- Basics of authentication
- Basics of network security
- Insider threats
- Cloud security basics
- Computer malware
- Email security
- Human error
- Identity theft
- The mind of a hacker
- Passwords
- Device physical security
- Privacy
- Intellectual property
- Protecting paperwork
- Security of mobile devices
- Social engineering
- Social media
- Remote work
See also: Options for delivering NIS 2, DORA, and ISO 27001 training
The value of DORA training and awareness
Obviously, DORA is very strict when it comes to training and awareness — but such emphasis does have a positive side: Better trained and aware employees means a lower number of cybersecurity incidents, smoother operations, and, in some cases, higher customer satisfaction.
So, investment in training and awareness does pay off — just make sure that you reach everyone who needs it.
For more information about DORA, download this free white paper: Comprehensive guide to the DORA Regulation.