DORA enforcement has been live since 17 January 2025. Article 13 requires role-specific ICT awareness training for all staff and your management body. One live Business session satisfies both — with attendance records for your compliance file.
Article 13 — ICT Awareness Programmes & Digital Operational Resilience Training. Financial entities must implement ICT security awareness programmes and digital operational resilience training as part of their ICT risk management framework. Training must be provided to all staff and, separately, to members of the senior management body — with programmes tailored to the function concerned (role-specific training, Article 13(6)).
Enforcement Live Since January 17, 2025. Unlike NIS2, DORA had a single application date. All EU financial entities in scope were required to comply from 17 January 2025. Competent authorities (NCAs) in the Netherlands, Germany, France, Ireland, and Luxembourg are conducting supervisory assessments of ICT risk frameworks — training documentation is among the first artefacts requested.
Role-Specific Requirement. Article 13(6) distinguishes between ICT staff and senior management training. The content must be proportionate to each person's function. A compliance officer needs different training than a front-office trader or a cloud infrastructure engineer. Our Business tier session is structured to deliver role-specific scenario content within a single live webinar.
Threat-Led Penetration Testing (TLPT). Significant financial entities are subject to TLPT requirements under Articles 26–27. The human element — phishing, social engineering, and BEC — is included in TLPT threat scenarios precisely because it's the most common initial access vector. Training your staff before a TLPT engagement reduces exposure and improves test outcomes.
Adversary-in-the-Middle (AiTM) phishing uses reverse-proxy kits to capture session cookies in real time — bypassing TOTP and push-based MFA entirely. Staff receive a convincing fake login page for the bank's internal portal, enter their credentials and MFA code, and the attacker uses the live session token before it expires. This technique is documented in active campaigns against European financial institutions and is a core scenario in our DORA training.
Attackers clone executive voice using publicly available audio, then call finance staff with urgent wire authorisation requests. In documented cases, the cloned voice passes human recognition and the call sounds indistinguishable from the real CFO. The financial losses per incident run into millions. Read our full briefing on AI voice phishing →
DORA's entire third-party chapter exists because financial sector supply chain attacks are escalating. A compromised core banking software vendor, payment processing provider, or cloud infrastructure supplier can cascade failures across dozens of institutions simultaneously. Staff training includes recognising suspicious vendor communications, verifying software update legitimacy, and escalating unusual third-party access requests — all direct DORA Article 28 risk vectors.
Investment firms and market infrastructure operators face ransomware that specifically targets trading platforms, order management systems, and settlement infrastructure. A ransomware event on a trading system triggers DORA's major incident reporting obligation — 4 hours for early notification, 72 hours for full report. Staff who don't recognise the phishing or credential theft that precedes ransomware deployment are the gap that regulators will focus on.
DORA applies to a broad range of EU financial entities: credit institutions (banks), payment institutions, e-money institutions, investment firms, crypto-asset service providers (CASPs) under MiCA, alternative investment fund managers, insurance and reinsurance undertakings, insurance intermediaries, pension funds, credit rating agencies, crowdfunding service providers, and securitisation repositories. Critically, it also applies to ICT third-party providers (ICT TPPs) that are deemed critical by the European Supervisory Authorities — meaning technology vendors serving financial entities may also be directly in scope.
Article 13(6) requires financial entities to provide ICT security awareness programmes and digital operational resilience training to ICT staff and members of senior management, with programmes tailored to the function concerned. In practice, this means a front-office trading employee needs training on AiTM phishing and social engineering specific to trading workflows, while a risk manager needs training on ICT concentration risk and third-party incident reporting. Our Business tier session is structured with role-specific scenario tracks — we segment the content by function (operations, finance, IT, senior management) within a single live session so every role gets targeted training.
Yes. Article 13(6) explicitly includes 'members of senior management' in the training requirement. The management body is also responsible under Article 5 for defining and approving the ICT risk management framework, approving the digital resilience strategy, and overseeing ICT-related incidents. Board members who don't understand the threat landscape they're approving controls for cannot meet this standard. Our Executive tier session is built for management body members — covering DORA's governance obligations, what 'approving the ICT risk framework' actually requires, and how to recognise the threat patterns most likely to trigger a major ICT incident notification.
DORA does not specify a fixed frequency but requires programmes to be 'regular' and proportionate to the entity's risk profile. The EBA, ESMA, and EIOPA regulatory technical standards (RTS) on ICT risk management indicate annual training as the baseline, with supplemental training triggered by significant incidents, major changes to the threat landscape, or regulatory updates. Most financial entities with mature compliance programmes are moving to annual live training plus quarterly micro-sessions. Booking a live session this year creates the documented baseline — attendance records are provided with every session.
For financial entities, competent authorities can impose periodic penalty payments of up to 1% of average daily worldwide turnover for every day of ongoing non-compliance, up to six months. For natural persons (individual senior managers) who are found to bear personal responsibility for a DORA violation, fines up to €1,000,000 apply. For critical ICT third-party providers, the Lead Overseer can impose fines up to 1% of average daily worldwide turnover per day, sustained for up to six months. The enforcement regime is materially stricter than most pre-DORA ICT risk frameworks — and the training obligation under Article 13 is one of the clearest, most auditable requirements in the regulation.
One Business tier session delivers role-specific Article 13 training for all staff and senior management — with attendance records for your compliance file. $900 flat, unlimited participants.