DORA's training requirements and how to meet them
The new DORA regulation requires different kinds of training: not only for employees, but also for higher management. Which training does DORA require exactly?
... > Training Courses > DORA's training requirements and how to meet them
What are DORA's training requirements?
A lot of companies in the financial sector have measures in place when it comes cybersecurity, says Anne de Nies, Manager Financial Markets at Secura. 'However, the new DORA regulation will professionalize cybersecurity in this field even more. By the 17th of January 2025, EU companies in finance must be compliant with DORA, the Digital Operational Resilience Act. Among other things, DORA requires a number of training measures.'
One of DORA's requirements is that the board must have up-to-date knowledge of cybersecurity, says De Nies. 'But in fact, DORA requires all staff to be trained in cybersecurity awareness and operational resilience. Any training should be relevant to the role somebody plays within the company. So think about which possible risk a person poses to the organization and how you can train them to properly address that risk if needed. From that perspective it is also relevant to think about your third-party IT-providers and how you can make sure they have also had the proper cyber security training.'
Anne de Nies
Manager Financial Markets
Make sure you know what DORA demands of you, so you have enough time to map your responsibilities. As management you need to understand enough about cybersecurity to make informed decisions.
Why does DORA require management training?
Anne de Nies: 'DORA states, in article 5, that management must 'bear the ultimate responsibility for managing the financial entity’s ICT risk.' This means that boardroom members and higher management will be held accountable for the cybersecurity of their organization.'
'Of course, many managers have some cybersecurity know-how or experience with an awareness training. But besides the CISO, most people don’t think about cyber security on a daily basis, let alone that they have a deep understanding of this continuous developing field of expertise. To be able to oversee the consequences of certain risks, or to keep a cool head in case of a cyber incident and take the right decisions, you need need to know what you are talking about. That's why DORA explicitly states that management needs to follow cybersecurity training.'
Boardroom training requirement
Article 5.4 of DORA: 'Members of the management body of the financial entity shall actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, including by following specific training on a regular basis, commensurate to the ICT risk being managed.'
Who should follow a DORA boardroom training?
First, make sure the board and higher managament of the organization is present at a training, says De Nies. 'But also try to add your security officer and IT-manager. Cybersecurity is a joint responsibility and this way you can meet and discuss current issues. DORA also covers legal aspects, so maybe also invite a representative of the legal department. This close relationship between cybersecurity and legal requirements is why Secura has joined forces with De Clercq Lawyers and Notary for our own DORA Boardroom Training.'
Natascha van Duuren
Lawyer and partner
De Clercq Lawyers and Notary
DORA contains a large legal aspect. It requires process steps around the contracting and selection of the IT service provider and also imposes a large number of substantive requirements on IT contracts.
Training requirements for the entire company
Article 13.6 - 'Financial entities shall develop ICT security awareness programs and digital operational resilience training as compulsory modules in their staff training schemes. These shall be applicable to all employees and to senior management staff, and shall have a level of complexity commensurate to the remit of their functions.'
How do you know if you meet DORA's training requirements?
DORA doesn't specify which exact cybersecurity training is sufficient, says De Nies. 'It's up to organizations themselves to interpret this. Every employee needs to be trained to a level relevant to their role, people need to have up-to-date knowledge, and you should update knowledge after an incident. Cybersecurity is a dynamic field, so this requirement means a one-off training is not enough: it is a continuous process.'
By when do you have to comply to DORA's training requirements?
If DORA applies to your organization, you need to comply by the 17th of January 2025. 'Do not wait until until then to start with these training requirements', De Nies urges. 'If you need to train 100 people and you wait until December 2024, you definitely won't make the deadline. Give your staff adequate time.'
DORA Boardroom Training
Do you want to know more about our DORA training services? Please fill out the form below and we will contact you within one business day.
Secura is a leading cybersecurity expert. Our customers range from government and healthcare to finance and industry worldwide. Secura offers technical services, such as vulnerability assessments, penetration testing and red teaming. We also provide certification for IoT and industrial environments, as well as audits, forensic services and awareness training. Our goal is to raise your cyber resilience.
Secura is a Bureau Veritas company. Bureau Veritas (BV) is a publicly listed company specialized in testing, inspection and certification. BV was founded in 1828, has over 80.000 employees and is active in 140 countries. Secura is the cornerstone of the cybersecurity strategy of Bureau Veritas.