The Digital Operational Resilience Act has been fully applicable since January 17, 2025. For much of that first year, supervisory authorities maintained what most practitioners described as a tolerance period: reviewing paperwork, conducting readiness assessments, issuing guidance rather than penalties.
That period is over.
National competent authorities are now conducting active enforcement reviews, cross-checking Register of Information data automatically, and issuing the first compulsion payments. Only 50% of in-scope institutions reached full compliance by the end of 2025. A further 38% pushed their target into 2026. That means nearly half of all regulated entities are entering the enforcement phase with documented gaps.
One of the most consistently underprepared areas is training. DORA doesn't leave training to organisational discretion. It mandates it explicitly, specifies who must receive it, and requires that it reflects the complexity of each employee's role. This article explains what DORA requires, who it applies to, what the training obligations mean in practice, and what non-compliance costs. It sits alongside the broader compliance framing in GRC and the training gap.
50%
Regulation-DORA.eu — 2025 Year-End Assessment
of in-scope institutions reached full DORA compliance by the end of 2025.
38%
Regulation-DORA.eu — Compliance Tracker, 2026
pushed their compliance target into 2026 — entering enforcement with documented gaps.
20
EIOPA — DORA Entity Scope
distinct types of financial entities in scope, plus ICT third-party service providers serving them.
Section 01
What DORA Is and Who It Applies To
DORA — Regulation (EU) 2022/2554 — is a binding EU regulation designed to ensure that financial entities can withstand, respond to, and recover from ICT-related disruptions, cyberattacks, and system failures. It has been applicable since January 2025 and applies to 20 different types of financial entities and ICT third-party service providers.
The scope is broader than many organisations initially assumed. In-scope entities include banks, insurance companies, investment firms, payment institutions, electronic money institutions, crypto-asset service providers, central securities depositories, credit rating agencies, and audit firms. It also applies to ICT third-party service providers whose services are critical to the operations of EU-based financial institutions. That means non-EU technology vendors serving EU financial entities are in scope too. If you provide cloud infrastructure, data services, or software to a regulated EU financial institution, DORA reaches you.
One point worth being clear on: DORA is a Regulation. It's binding in its entirety and directly applicable in all EU member states without requiring national transposition. There's no member state variation to navigate. If your organisation falls within scope, the obligations apply in full.
For L&D and compliance teams in financial services, the practical implication is that DORA isn't an IT department problem. The regulation explicitly reaches HR, risk, compliance, operations, and senior leadership. And it mandates training at every level of the organisation.
Section 02
The Five Pillars: What DORA Actually Requires
DORA organises its requirements into five pillars. Understanding all five matters for training design, because the training obligations connect directly to operational capability across each one.
1
Pillar 01
ICT risk management
Financial entities must establish and maintain a robust ICT risk management framework covering identification, protection, detection, response, and recovery. This is the pillar that generates the most widespread training need: employees across the organisation need to understand the framework, their role within it, and what they're expected to do when ICT risk materialises.
2
Pillar 02
ICT incident reporting
Major ICT incidents must be classified and reported to supervisory authorities within defined timeframes. Employees need to know what constitutes a reportable incident, what the classification criteria are, and what the reporting pathway is for their role. Knowing that a reporting obligation exists is not sufficient. Knowing how to trigger it is.
3
Pillar 03
Digital operational resilience testing
In-scope entities must conduct regular resilience testing, and significant firms must conduct threat-led penetration testing. This pillar primarily applies to ICT and security teams, but the results and their implications feed back into organisation-wide awareness.
4
Pillar 04
ICT third-party risk management
Entities must maintain oversight of all ICT third-party providers and ensure contracts contain specific resilience provisions. Procurement, vendor management, and legal teams have direct training needs here that a general ICT awareness module does not address.
Vendor due diligence training connects directly to this pillar.
5
Pillar 05
Information and intelligence sharing
DORA encourages financial entities to share cyber threat intelligence. Employees need to understand how sharing frameworks operate and what information can and cannot be shared.
Section 03
The Explicit Training Obligations: What the Regulation Actually Says
This is where DORA is more specific than most compliance regulations. And where most organisations have the largest gap. The regulation contains three distinct articles that mandate training directly.
Article 5(2)(g) — Management body budget obligation
Management bodies must allocate and periodically review the appropriate budget to fulfil digital operational resilience needs across all types of resources, including relevant ICT security awareness programmes and digital operational resilience training, and ICT skills for all staff.
Article 5(4) — Management body competence obligation
Members of the management body must actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, including by following specific training on a regular basis, commensurate to the ICT risk being managed.
Article 13(6) — Compulsory staff training obligation
Financial entities must develop ICT security awareness programmes and digital operational resilience training as compulsory modules in their staff training schemes, applicable to all employees and senior management staff, with a level of complexity commensurate to the remit of their functions.
Three things follow from these articles that most organisations aren't yet acting on. First, training isn't discretionary: it's a compulsory module in the staff training scheme. Second, it applies to all employees, not just ICT staff. Third, it must be role-differentiated: the complexity must be commensurate with each employee's function. A single annual awareness module delivered uniformly to everyone from frontline staff to board members doesn't meet this standard. A supervisory authority conducting an enforcement review will identify that gap immediately.
Section 04
What Training Is Required by Role
The phrase "commensurate to the remit of their functions" in Article 13(6) isn't decorative. It creates a genuine role-differentiated training obligation. Three tiers emerge from reading the regulation's requirements together.
Every employee in a DORA-regulated entity needs baseline ICT security awareness training. At minimum this covers recognising phishing and social engineering attempts, understanding data handling obligations in an ICT context, knowing what constitutes a reportable incident, and understanding the organisation's ICT risk management framework at a level relevant to day-to-day work. The "all employees" scope catches organisations off guard when they map it properly. A compliance analyst at a payment institution, a relationship manager at an investment firm, a customer service representative at an e-money provider: all of them are in scope. The training doesn't need to be equally deep for all these roles. But it needs to exist for all of them.
ICT, risk, and compliance teams require deeper training covering the ICT risk management framework in operational detail, incident classification and reporting procedures, resilience testing methodologies, and third-party ICT risk assessment processes. For many financial institutions, this represents a
significant uplift from what was previously required of these roles. The third-party risk management pillar generates particularly specific training needs here. A risk professional who can't evaluate whether an ICT vendor's contract contains the resilience provisions DORA requires has a compliance gap that no awareness module closes.
Article 5(4) requires members of the management body to actively keep up to date with
sufficient knowledge and skills to understand and assess ICT risk. This isn't awareness training. It's the ability to interrogate risk reports, ask the right questions of technical teams, understand what resilience testing results mean for the organisation's actual exposure, and make informed decisions about ICT investment and third-party relationships. The same governance judgment capability is described in
senior leaders AI training — different regulation, same structural gap. The individual liability provision described in section five makes this tier
the most urgent for boards to prioritise.
| Tier |
Audience |
Core content |
Obligation source |
| One |
All employees |
ICT awareness, phishing recognition, incident reporting pathway, risk framework overview |
Art. 13(6) |
| Two |
ICT, risk, compliance, procurement |
Risk management framework depth, incident classification, resilience testing, third-party risk assessment |
Art. 5(2)(g) + 13(6) |
| Three |
Senior management and board |
ICT risk governance, resilience testing interpretation, third-party oversight judgment, regulatory accountability |
Art. 5(4) |
One important practical note: DORA doesn't specify exactly which training is sufficient for each tier. But it's clear on the principles. Knowledge must be current. Training must be updated after incidents. And cybersecurity is a dynamic field, so a one-off programme completed in 2025 does not meet the ongoing obligation in 2026.
Section 05
The Penalty Framework: What Non-Compliance Costs
The enforcement picture in 2026 makes the training obligation materially urgent in a way it was not during the 2025 tolerance period. The numbers here are worth stating plainly.
Entity penalty
Up to 2% of global turnover
National competent authorities can impose administrative fines up to
2% of total annual global turnover or €10 million — whichever is higher.
Individual penalty
Up to €1 million personally
Responsible persons can be fined individually up to €1 million. This is the provision that makes senior management training tier the most urgent for boards to prioritise.
CTPP penalty
Daily 1% of global turnover
For designated Critical Third-Party Providers, the framework is more stringent:
daily penalty payments of up to 1% of average daily global turnover for continued non-compliance, for up to
six months.
Reputational penalty
Public disclosure of breach
Authorities can issue cease and desist orders requiring immediate remediation and publicly disclose the identity of the entity and the nature of the breach. The reputational cost often exceeds the financial penalty.
⚠ Individual Liability at Board Level
The individual liability provision deserves particular attention. A board member or senior executive who has not maintained up-to-date ICT risk knowledge as required by Article 5(4) is not just exposing the organisation to regulatory sanction. They are personally exposed to a fine of up to €1 million. That changes the calculus on whether board-level DORA training is optional in a way that few other compliance obligations do. The same personal accountability dynamic applies under the EU AI Act. See senior leaders training for the parallel.
Section 06
What Most Organisations Are Getting Wrong on DORA Training
Three patterns account for most of the DORA training gaps that enforcement reviews are identifying in 2026. None of them are subtle. All of them are common.
Mistake 01
Treating DORA training as an IT department obligation. Article 13(6) is unambiguous: the training applies to all employees. Organisations that have delivered DORA awareness only to ICT and security teams have met a fraction of the requirement and created documented exposure everywhere else. The supervisory authority's review checklist doesn't stop at the IT function.
Mistake 02
Delivering a single undifferentiated module. The commensurate complexity requirement means a single eLearning course rolled out to everyone from frontline staff to board members doesn't meet the standard. That module may satisfy a completion audit. It will not satisfy a supervisory authority examining whether training genuinely reflected the complexity of each employee's function — because it demonstrably did not.
Mistake 03
Treating it as a one-time event. A one-off training programme completed in 2025 doesn't meet the ongoing obligation. Knowledge must be current and updated after incidents. An organisation that completed its DORA training in Q1 2025 and hasn't revisited it is operating on knowledge that predates the first year of enforcement — not meeting the continuous obligation Article 5(4) explicitly requires. See reinforcing AI training for the reinforcement principles that apply equally to DORA.
Section 07
What Good DORA Training Looks Like in Practice
Good DORA training in 2026 has four characteristics that distinguish it from compliance checkbox delivery.
Four Characteristics of Good DORA Training
Role-differentiated from the design stage. The three-tier architecture needs to be the starting point, not something retrofitted after a single module has been built. Each tier has different content, different scenarios, and different assessment criteria.
Scenario-based rather than definition-based. Employees at every level need to encounter the situations DORA is designed to address: a suspected phishing attempt on a client call, an ICT incident classification decision under time pressure, a vendor contract review that requires evaluating resilience provisions. Abstract regulatory awareness doesn't produce the behaviour those situations require.
Senior management treated as a distinct audience. Board and executive training needs to address the governance judgment capability Article 5(4) requires, not just provide a summary of what DORA is. A slide deck at the board away-day is not a training programme.
Designed for continuous delivery. Each regulatory update, each incident, and each new ICT deployment is a trigger for training review. The organisations that will be best positioned in enforcement reviews are those that can demonstrate not just that training happened, but that it has been maintained, updated, and applied to their evolving risk profile.
Where does your organisation currently sit against these four characteristics? For most financial services organisations in 2026, one of the four is typically stronger than the others, and two are genuinely weak. The gap analysis approach that surfaces this clearly is covered in assessing AI learning gaps. The same methodology applies to DORA readiness.
The Standard Worth Aiming For
DORA's training obligations are explicit, role-differentiated, and continuous. Organisations still treating them as a single annual awareness event are not compliant. And enforcement in 2026 is active, not theoretical. The question isn't whether your training programme satisfies a completion audit. It's whether it would satisfy a supervisory authority examining whether training genuinely reflected the complexity of each employee's function.
Frequently Asked Questions
DORA Training — Common Questions
Answers to the questions compliance leads, L&D directors, and senior risk professionals most commonly ask when building DORA training that meets the regulation's explicit requirements.
What is DORA and who does it apply to?
DORA (Regulation EU 2022/2554) is a binding EU regulation ensuring financial entities can withstand, respond to, and recover from ICT-related disruptions. It has been fully applicable since January 17, 2025, and applies to 20 types of financial entities — banks, insurance, investment firms, payment institutions, crypto-asset service providers, credit rating agencies, and more. It also applies to non-EU technology vendors serving EU financial institutions. DORA is a Regulation, not a Directive, meaning it's directly applicable in all EU member states with no national transposition required.
What does DORA specifically require about training?
Three articles mandate training directly. Article 5(2)(g) requires management bodies to allocate budget for ICT security awareness programmes and digital operational resilience training. Article 5(4) requires management body members to keep up to date with sufficient knowledge through regular specific training. Article 13(6) requires ICT security awareness programmes as compulsory modules in staff training schemes — applicable to all employees and senior management, with complexity commensurate to the remit of their functions.
What are the penalties for DORA non-compliance?
Fines up to 2% of total annual global turnover or €10 million (whichever is higher) for the entity. Responsible individuals can be fined up to €1 million personally. Authorities can also issue cease and desist orders and publicly disclose the breach. For Critical Third-Party Providers, the framework is more stringent: daily penalty payments of up to 1% of average daily global turnover for continued non-compliance, for up to six months.
Is DORA training only for IT and security staff?
No. Article 13(6) is unambiguous: training applies to all employees. Organisations that have delivered DORA awareness only to ICT and security teams have met a fraction of the requirement and created documented exposure everywhere else. The regulation requires three tiers of training: all employees (baseline ICT security awareness), ICT/risk/compliance/procurement (technical operational resilience), and senior management and board (governance-level ICT risk literacy under Article 5(4)).
What does good DORA training actually look like?
Four characteristics. Role-differentiated from the design stage — three-tier architecture is the starting point. Scenario-based rather than definition-based — employees encounter the actual situations DORA is designed to address. Senior management treated as a distinct audience — the governance judgment Article 5(4) requires, not a board away-day slide deck. Designed for continuous delivery — each regulatory update, incident, and new ICT deployment is a trigger for training review.
See reinforcing AI training for the reinforcement principles that apply equally to DORA.
DORA's training obligations are explicit,
role-differentiated, and continuous.
Organisations still treating them as a single annual awareness event are not compliant, and enforcement in 2026 is active. Savia's GRC learning paths include DORA-specific content designed for all three training tiers — built around the scenarios your teams will actually encounter.
