DORA's training requirements and how to meet them

The new DORA regulation requires different kinds of training: not only for employees, but also for higher management. Which training does DORA require exactly?

... > Training Courses > DORA's training requirements and how to meet them

What are DORA's training requirements?

A lot of companies in the financial sector have measures in place when it comes cybersecurity, says Eva van Emmerik, Manager Financial Markets at Secura. 'However, the new DORA regulation will professionalize cybersecurity in this field even more. By the 17th of January 2025, EU companies in finance must be compliant with DORA, the Digital Operational Resilience Act. Among other things, DORA requires a number of training measures.'

Up-to-date knowledge

One of DORA's requirements is that the board must have up-to-date knowledge of cybersecurity, says Van Emmerik, 'But in fact, DORA requires all staff to be trained in cybersecurity awareness and operational resilience. Any training should be relevant to the role somebody plays within the company. So think about which possible risk a person poses to the organization and how you can train them to properly address that risk if needed. From that perspective it is also relevant to think about your third-party IT-providers and how you can make sure they have also had the proper cyber security training.'

Eva van Emmerik

Eva van Emmerik

Manager Financial Markets

Secura

Make sure you know what DORA demands of you, so you have enough time to map your responsibilities. As management you need to understand enough about cybersecurity to make informed decisions.

Why does DORA require management training?

Eva van Emmerik: 'DORA states, in article 5, that management must 'bear the ultimate responsibility for managing the financial entity’s ICT risk.' This means that boardroom members and higher management will be held accountable for the cybersecurity of their organization.'

'Of course, many managers have some cybersecurity know-how or experience with an awareness training. But besides the CISO, most people don’t think about cyber security on a daily basis, let alone that they have a deep understanding of this continuous developing field of expertise. To be able to oversee the consequences of certain risks, or to keep a cool head in case of a cyber incident and take the right decisions, you need need to know what you are talking about. That's why DORA explicitly states that management needs to follow cybersecurity training.'

Highlight-image

Boardroom training requirement

Article 5.4 of DORA: 'Members of the management body of the financial entity shall actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, including by following specific training on a regular basis, commensurate to the ICT risk being managed.'

Who should follow a DORA boardroom training?

First, make sure the board and higher managament of the organization is present at a training, says De Nies. 'But also try to add your security officer and IT-manager. Cybersecurity is a joint responsibility and this way you can meet and discuss current issues. DORA also covers legal aspects, so maybe also invite a representative of the legal department. This close relationship between cybersecurity and legal requirements is why Secura has joined forces with De Clercq Lawyers and Notary for our own DORA Boardroom Training.'

Natascha van Duuren De Clercq

Natascha van Duuren

Lawyer and partner

De Clercq Lawyers and Notary

DORA contains a large legal aspect. It requires process steps around the contracting and selection of the IT service provider and also imposes a large number of substantive requirements on IT contracts.

Highlight-image

Training requirements for the entire company

Article 13.6 - 'Financial entities shall develop ICT security awareness programs and digital operational resilience training as compulsory modules in their staff training schemes. These shall be applicable to all employees and to senior management staff, and shall have a level of complexity commensurate to the remit of their functions.'

How do you know if you meet DORA's training requirements?

DORA doesn't specify which exact cybersecurity training is sufficient, says Van Emmerik. 'It's up to organizations themselves to interpret this. Every employee needs to be trained to a level relevant to their role, people need to have up-to-date knowledge, and you should update knowledge after an incident. Cybersecurity is a dynamic field, so this requirement means a one-off training is not enough: it is a continuous process.'

By when do you have to comply to DORA's training requirements?

If DORA applies to your organization, you need to comply by the 17th of January 2025. 'Do not wait until until then to start with these training requirements', Van Emmerik urges. 'If you need to train 100 people and you wait until December 2024, you definitely won't make the deadline. Give your staff adequate time.'

DORA training

DORA Boardroom Training

DORA Boardroom training

During our DORA Boardroom Training, Secura and De Clercq Lawyers and Notary give you up-to-date insights on cybersecurity and DORA. After this 1-day training, you will meet the management training requirements of DORA and receive a certificate.

SAFE Awareness

SAFE SECURITY AWARENESS BEHAVIOR PROGRAM Header Entry

SAFE is a comprehensive awareness program for your entire organization.

Cyber Crisis Exercises

Cyber Crisis Exercise

How will your organization respond to a cyber crisis? Test this with one of our Cyber Crisis Exercises.

Contact me

Do you want to know more about our DORA training services? Please fill out the form below and we will contact you within one business day.

USP

Why choose Secura | Bureau Veritas

At Secura/Bureau Veritas, we are dedicated to being your trusted partner in cybersecurity. We go beyond quick fixes and isolated services. Our integrated approach makes sure that every aspect of your company or organization is cyber resilient, from your technology to your processes and your people.

Secura is the cybersecurity division of Bureau Veritas, specialized in testing, inspection and certification. Bureau Veritas was founded in 1828, has over 80.000 employees and is active in 140 countries.