DORA's training requirements and how to meet them

What are DORA's training requirements?

A lot of companies in the financial sector have measures in place when it comes cybersecurity, says Eva van Emmerik, Manager Financial Markets at Secura. 'However, the new DORA regulation will professionalize cybersecurity in this field even more. By the 17th of January 2025, EU companies in finance must be compliant with DORA, the Digital Operational Resilience Act. Among other things, DORA requires a number of training measures.'

Up-to-date knowledge

One of DORA's requirements is that the board must have up-to-date knowledge of cybersecurity, says Van Emmerik, 'But in fact, DORA requires all staff to be trained in cybersecurity awareness and operational resilience. Any training should be relevant to the role somebody plays within the company. So think about which possible risk a person poses to the organization and how you can train them to properly address that risk if needed. From that perspective it is also relevant to think about your third-party IT-providers and how you can make sure they have also had the proper cyber security training.'

Why does DORA require management training?

Eva van Emmerik: 'DORA states, in article 5, that management must 'bear the ultimate responsibility for managing the financial entity’s ICT risk.' This means that boardroom members and higher management will be held accountable for the cybersecurity of their organization.'

'Of course, many managers have some cybersecurity know-how or experience with an awareness training. But besides the CISO, most people don’t think about cyber security on a daily basis, let alone that they have a deep understanding of this continuous developing field of expertise. To be able to oversee the consequences of certain risks, or to keep a cool head in case of a cyber incident and take the right decisions, you need need to know what you are talking about. That's why DORA explicitly states that management needs to follow cybersecurity training.'

Who should follow a DORA boardroom training?

First, make sure the board and higher managament of the organization is present at a training, says De Nies. 'But also try to add your security officer and IT-manager. Cybersecurity is a joint responsibility and this way you can meet and discuss current issues. DORA also covers legal aspects, so maybe also invite a representative of the legal department. This close relationship between cybersecurity and legal requirements is why Secura has joined forces with De Clercq Lawyers and Notary for our own DORA Boardroom Training.'

How do you know if you meet DORA's training requirements?

DORA doesn't specify which exact cybersecurity training is sufficient, says Van Emmerik. 'It's up to organizations themselves to interpret this. Every employee needs to be trained to a level relevant to their role, people need to have up-to-date knowledge, and you should update knowledge after an incident. Cybersecurity is a dynamic field, so this requirement means a one-off training is not enough: it is a continuous process.'

By when do you have to comply to DORA's training requirements?

If DORA applies to your organization, you need to comply by the 17th of January 2025. 'Do not wait until until then to start with these training requirements', Van Emmerik urges. 'If you need to train 100 people and you wait until December 2024, you definitely won't make the deadline. Give your staff adequate time.'