Building a DORA Art. 9 Training Programme: From Board to Intern
The Training Gap
DORA contains two distinct training requirements. Art. 5(4) requires that "members of the management body shall, on a regular basis, follow specific training to gain and maintain sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity." Art. 9(4)(c) requires "digital operational resilience awareness programmes and ICT security training as obligatory modules in staff training schemes."
These are not the same requirement. Art. 5(4) targets the management body with specialized training on ICT risk governance. Art. 9(4)(c) targets all staff with awareness and training appropriate to their role. Together, they mandate a training programme that spans from the board to the most junior employee — each level receiving content appropriate to their responsibilities under DORA.
Most financial institutions' current training falls short. The typical programme: an annual online module on phishing awareness, password hygiene, and social engineering. This covers basic cybersecurity hygiene but does not address DORA's specific requirements: understanding the ICT risk management framework, recognizing ICT-related incidents vs. service requests, knowing the incident classification and reporting procedures, understanding individual roles in business continuity, and knowing when and how to escalate.
The ECB's 2024 cyber stress test identified training adequacy as a factor in recovery performance. Institutions where staff understood their roles in incident response and business continuity performed better than institutions where the response was improvised.
Training Programme Architecture
Audience Segmentation
DORA's training requirements apply to the entire organization, but content, depth, and delivery must be segmented by role:
| Audience | DORA Requirement | Training Depth | Frequency |
|---|---|---|---|
| Management body (board, CEO, CxO) | Art. 5(4) — specific ICT risk training | Strategic: governance, risk appetite, supervisory expectations | Semi-annual |
| Senior management (VPs, department heads) | Art. 5(4) + Art. 9(4)(c) | Tactical: risk management framework, escalation, reporting | Annual + event-driven |
| IT and security staff | Art. 9(4)(c) | Technical: incident response, testing, change management, tool proficiency | Quarterly |
| Business function owners | Art. 9(4)(c) | Operational: BCP roles, BIA understanding, vendor management | Annual |
| All other staff | Art. 9(4)(c) | Awareness: incident recognition, reporting, basic security hygiene | Annual + event-driven |
| Third-party/vendor staff (with system access) | Art. 28 — third-party security | Operational: institution's security policies, incident reporting | At onboarding + annual |
Content Framework by DORA Pillar
Module Design by Audience Level
Module 1: Management Body Training (Art. 5(4))
Art. 5(4) is explicit: management body members must "gain and maintain sufficient knowledge and skills to understand and assess ICT risk." This is not a suggestion. Supervisors will examine whether board members received ICT risk training and can demonstrate understanding.
Content:
- DORA's governance model: management body accountability under Art. 5
- Art. 14 reporting obligations: what the board must receive, review, and decide
- ICT risk appetite: how to set, communicate, and enforce
- 12 DORA KPIs: understanding dashboard metrics
- Incident classification thresholds: when does an ICT incident become a board-level issue?
- Third-party concentration risk: understanding HHI analysis and vendor dependency
- Testing programme oversight: understanding test results and their implications
- Emerging threats: ransomware trends, AI risks, supply chain attacks
- Supervisory expectations: what examiners will ask the board
Delivery: Interactive workshop (not e-learning), 2-3 hours, facilitated by CISO or external expert. Case studies from recent financial sector incidents.
Assessment: Not a written test (boards will not take exams). Assessment through quality of questions asked during the session, subsequent board discussions demonstrating ICT risk understanding, and management body decisions reflecting training content (e.g., approving appropriate risk appetite, requesting additional information on testing gaps).
Evidence: Attendance records, session materials, board minutes reflecting ICT risk discussions.
Module 2: IT and Security Staff Technical Training
Technical staff need deep knowledge of DORA's operational requirements relevant to their roles.
Content by sub-audience:
| Sub-Audience | Training Focus | Key Content |
|---|---|---|
| SOC / incident response | Art. 17-23 incident management | Classification criteria, Art. 19 timelines, evidence preservation, communication protocols |
| Infrastructure / operations | Art. 7, 11, 12 reliability and recovery | Change management, DR testing, backup procedures, baseline control |
| Development / DevOps | Art. 7, 9, 24 secure development | DevSecOps pipeline, vulnerability management, testing |
| Vendor / third-party management | Art. 28-30 third-party risk | Vendor risk scoring, Art. 30 contractual provisions, exit strategies |
| Compliance / risk | Cross-cutting | All five pillars, regulatory reporting, register of information, evidence management |
Delivery: Combination of e-learning modules (knowledge) and hands-on exercises (skill). Incident response tabletop exercises, DR drill participation, and red team exercise observation.
Assessment: Written assessment with minimum passing score. Practical assessment through participation in exercises and drills.
Module 3: All-Staff Awareness Programme
Every employee must understand their role in the institution's operational resilience. This is not optional under Art. 9(4)(c).
Content:
- What is DORA and why does it matter to your role?
- Recognizing an ICT incident vs. a service request (when to call the helpdesk vs. when to trigger the incident process)
- Your role during an ICT incident (communication channels, escalation contacts, what to do and what not to do)
- Basic security hygiene: phishing recognition, password management, device security, social engineering awareness
- Data handling: classification levels, handling requirements by classification
- Third-party awareness: recognizing when a vendor issue is an incident worth reporting
- Business continuity: knowing your BCP role, assembly points, communication channels
Delivery: Annual e-learning module (30-45 minutes) with interactive scenarios. Supplemented by event-driven awareness communications (e.g., when a new threat targeting the sector is identified).
Assessment: Online quiz with minimum 80% passing score. Completion tracked per employee.
Training Evidence for DORA Compliance
Every training activity must produce auditable evidence:
| Evidence Type | Content | Retention |
|---|---|---|
| Training plan | Annual plan with audiences, modules, schedule | Current + 3 years |
| Completion records | Per-employee completion, date, score | Current + 5 years |
| Training materials | Module content, version, update history | Current + 3 years |
| Assessment results | Individual scores, aggregate pass rates | Current + 5 years |
| Board training records | Attendance, facilitator, materials, topics | Current + 7 years (Art. 5(4) evidence) |
| Exercise reports | Tabletop/drill participation, findings, lessons learned | Current + 5 years |
Measuring Programme Effectiveness
Training completion rates are a process metric, not an effectiveness metric. Supervisors care about whether training produces the intended outcome: staff who can identify, respond to, and escalate ICT incidents correctly.
Effectiveness metrics:
| Metric | Measurement | Target |
|---|---|---|
| Completion rate | % of eligible staff completing required modules | > 95% |
| Assessment pass rate | % passing on first attempt | > 85% |
| Phishing simulation click rate | % clicking simulated phishing links | < 5% (industry benchmark: 10-15%) |
| Incident reporting accuracy | % of incidents correctly classified at first report | > 80% |
| BCP role awareness | % of staff able to identify their BCP role in survey | > 90% |
| Board ICT risk discussion quality | Qualitative: board minutes reflect substantive ICT risk engagement | Assessed by CISO |
Supervisory Examination Focus
The EBA and national competent authorities will examine:
- Art. 5(4) compliance: Did management body members receive specific ICT risk training? Can they demonstrate understanding? (Not just attendance records — substantive understanding evidenced through board decisions and discussions.)
- Art. 9(4)(c) compliance: Does the institution have a structured awareness programme? Is completion tracked? Is content role-appropriate?
- Training currency: When was the last training update? If the training content has not been updated since DORA became applicable, it likely does not address DORA-specific requirements.
- Incident response readiness: Can staff demonstrate they know how to recognize and escalate an ICT incident? This may be tested through examination interviews, not just training records.
Key Takeaways
- DORA has two distinct training requirements: Art. 5(4) for the management body (specific ICT risk training) and Art. 9(4)(c) for all staff (awareness and security training).
- Training must be role-segmented: board, senior management, IT/security, business owners, all staff, and third-party personnel each need different content, depth, and frequency.
- Board training is not a checkbox. Supervisors will assess whether management body members can demonstrate ICT risk understanding, not just attendance.
- All-staff awareness goes beyond phishing. DORA requires that staff understand incident recognition, escalation, BCP roles, and data handling — not just password hygiene.
- Effectiveness metrics matter more than completion rates. Measure incident reporting accuracy, BCP role awareness, and phishing simulation results.
- Training evidence is compliance evidence. Maintain auditable records of training plans, completion, assessments, and materials.
Resume en francais
DORA contient deux exigences de formation distinctes : l'article 5(4) impose une formation specifique sur les risques TIC pour les membres de la direction, et l'article 9(4)(c) exige des programmes de sensibilisation a la resilience operationnelle pour tout le personnel. Ce guide propose un programme structure segmente par audience : conseil d'administration (atelier interactif semi-annuel sur la gouvernance des risques TIC, l'appetit pour le risque et les obligations de reporting Art. 14), personnel IT/securite (formation technique trimestrielle sur la reponse aux incidents, les tests et la gestion du changement), et tout le personnel (module annuel de sensibilisation couvrant la reconnaissance des incidents, l'escalade, les roles BCP et la gestion des donnees). Les superviseurs evalueront si les membres de la direction peuvent demontrer une comprehension substantive des risques TIC, pas simplement une presence aux sessions. Les metriques d'efficacite — taux de reussite aux evaluations, precision de la classification des incidents, taux de clic sur le phishing simule — comptent davantage que les taux d'achevement. Les preuves de formation (plans, registres d'achevement, resultats d'evaluation, rapports d'exercices) sont des preuves de conformite soumises aux exigences de retention.