There are many variations of passages of Lorem Ipsum available, but the majority have suffered alteration in some form, by injected humour believable.

4140 Parker Ave, St. Louis, MO 63116


      DORA Compliance: Training Requirements Under Article 13(6)

      DORA has applied since January 17, 2025. What the regulation requires, the five pillars of compliance, and what Article 13(6) demands for training.

      Shortcuts:

      DORA: what financial organizations must do about security awareness training.

      The Digital Operational Resilience Act has applied across the EU since January 17, 2025. For financial sector organizations, it mandates compulsory cybersecurity training for all staff and management, not as a recommendation, but as an enforceable legal obligation.

      In this article:

      What DORA is and who it applies to

      DORA vs NIS2: key differences

      The five pillars of DORA compliance

      What Article 13(6) requires for training specifically

      How Nimblr meets DORA's training obligations

      What is DORA?

      DORA, the Digital Operational Resilience Act (Regulation EU 2022/2554), is the EU's framework for managing ICT risk in the financial sector. It was adopted in December 2022 and became applicable on January 17, 2025, giving organizations two years to prepare. That preparation window has closed: the obligations are now in full effect.

      Unlike a directive, which must be transposed into national law, DORA is a regulation. It applies directly and uniformly across all EU member states. There is no variation between countries: if your organization is in scope, the obligations are the same whether you are in Stockholm, Frankfurt, or Dublin.

      DORA vs NIS2

      DORA vs NIS2: what's the difference?

      NIS2 is a directive, implemented into national law, with a broad scope covering critical sectors across the economy and general cybersecurity risk management requirements. Its transposition deadline was October 2024.

      DORA is a regulation, directly binding with no national variation, with a narrow scope covering the financial sector only, and deeper ICT-specific requirements including resilience testing. It has applied since January 2025.

      If your organization falls under DORA's scope, DORA takes precedence over NIS2 for financial sector-specific obligations, but both may apply simultaneously depending on your activities. They are complementary, not mutually exclusive. Read more about how NIS2 impacts your organization.

      Who does DORA apply to?

      Banking and credit: credit institutions, payment institutions, e-money institutions

      Investment and trading: investment firms, trading venues, central counterparties, central securities depositories

      Insurance: insurance and reinsurance undertakings and intermediaries

      Fund management: AIF managers, UCITS management companies

      Crypto and fintech: crypto-asset service providers, crowdfunding platforms

      Data and ICT: data reporting service providers, critical ICT third-party providers

      Pensions: institutions for occupational retirement provision above size thresholds

      Other financial actors: credit rating agencies, benchmark administrators, securitization repositories

      (For full details and exemptions, see Regulation (EU) 2022/2554, Article 2.)

      The five pillars of DORA compliance

      1. ICT risk management

      Financial entities must establish a comprehensive internal ICT risk management framework covering governance, risk identification, protection, detection, response, recovery, and learning. Management is accountable. The framework must be reviewed regularly and integrated into the organization's overall risk strategy.

      2. ICT incident reporting

      Organizations must classify, manage, and report significant ICT incidents to their competent authority. Initial notification of a major incident is required within tight deadlines, followed by detailed reporting, and affected customers must be notified where relevant.

      3. Digital operational resilience testing

      All in-scope entities must conduct regular ICT system testing, including vulnerability assessments and scenario-based testing. Significant institutions must undergo Threat-Led Penetration Testing (TLPT), advanced red team exercises, at regular intervals with results reported to authorities.

      4. Third-party ICT risk management

      ICT third-party risks must be integrated into the overall risk framework. Pre-contract risk assessments are mandatory, contracts with ICT providers must meet specific requirements including exit strategies and audit rights, and an annual report and registry of all ICT third-party contracts is required.

      5. ICT security awareness and training

      Article 13(6) requires compulsory ICT security awareness programs and digital operational resilience training for all employees and senior management, scaled to the complexity of their roles. This is where Nimblr's platform maps directly to a DORA obligation.

      What Article 13(6) requires for training

      Article 13(6) of the regulation requires financial entities to develop ICT security awareness programs and digital operational resilience training as "compulsory modules in their staff training schemes," applicable to all employees and senior management, with complexity matched to each role. In practice, that means:

      Training must be compulsory, not optional. It must be embedded as a formal module in staff training schemes, not offered as a self-service resource employees can ignore.

      All employees are in scope, including senior management. No exceptions based on seniority. Management must receive training too, with complexity appropriate to their strategic responsibilities.

      ICT third-party providers should also be included where appropriate. Article 13(6) references Article 30(2)(i), meaning the training obligation can extend to critical ICT suppliers in your ecosystem.

      Complexity must match the role. A front-office employee and a CISO do not receive the same training. Content must be calibrated to the actual ICT risk exposure and responsibilities of each function.

      Training must be documented and demonstrable. DORA's broader emphasis on governance and auditability means you need records: who completed what, when, and at what level. Saying "we do training" is not sufficient evidence.

      How Nimblr maps to DORA Article 13(6)

      Nimblr's platform is designed to satisfy DORA's training and awareness obligations and generate the documented evidence that auditors require:

      Compulsory training delivery. Automated enrollment ensures all employees receive training, with no opt-in required.

      Role-appropriate content. Dedicated tracks for general staff and management, with appropriate depth per audience.

      Complete training records. Every completed module is logged with timestamps. Export your training data for auditors at any time.

      Phishing and smishing simulations. Simulated attacks provide behavioral evidence of ICT security awareness, not just self-reported completion.

      Awareness Level scoring. Quantified, per-employee awareness data demonstrating measurable progress over time.

      No login required. Employees complete training via email link, maximizing completion rates across the whole organization.

      Need to meet DORA's Article 13(6) training requirement? Book a demo and we'll show you exactly how Nimblr satisfies the obligation, with the audit trail to prove it. For the bigger compliance picture, see our compliance page.

      FAQ

      FAQ: DORA

      When did DORA come into force?

      DORA entered into force on January 16, 2023 and became applicable, meaning enforceable, on January 17, 2025. Organizations had two years to prepare. It is now in full effect.

      Does DORA apply to non-EU financial firms?

      DORA applies to financial entities operating within the EU, regardless of where they are headquartered. If you serve EU customers or operate through EU-registered entities, DORA obligations are likely to apply to those operations.

      What is the difference between DORA and GDPR?

      GDPR focuses on the protection of personal data. DORA focuses on the operational resilience of ICT systems in the financial sector, including risk management, incident response, resilience testing, and awareness training. The two overlap in areas like incident reporting but serve different primary purposes.

      Do smaller financial firms need to comply with DORA?

      Yes, though DORA applies proportionality: smaller and less complex entities may apply simplified requirements for certain obligations. The training requirement in Article 13(6), however, applies regardless of size. All in-scope entities must provide compulsory ICT security awareness training.

      What counts as evidence of DORA training compliance?

      Regulators expect documented records: completion logs showing who completed which modules and when, evidence that training covers the right topics, role-appropriate content for management versus general staff, and evidence of regular repetition, not just a one-off annual session.

      Author
      Nimblr Security Awareness
      Nimblr Security Awareness
      The Nimblr team is made up of people who are passionate about cyber security, developing training for real people, and tracking behavioral change.
      Get a personalized demo session at your convenience. Book a demo and let one of our experts walk you through Nimblr solution, the platform, and how quickly you can get started.