DORA Article 13 Training Obligations: A Plain English Guide
What DORA Article 13 actually requires for ICT security training, how it connects to Articles 5 and 30, and what proportionate looks like.
DORA Article 13 is titled "Learning and evolving." It is one of the shorter articles in the regulation, running to just a few paragraphs. It is also one of the most consequential for training and compliance teams, because it establishes the obligation for ICT security awareness and digital operational resilience training across the entire financial entity.
Despite its importance, Article 13 is frequently misread. Some organisations interpret it as a narrow cybersecurity awareness requirement. Others treat it as a general recommendation rather than a binding obligation. Both readings miss the mark, and both create compliance gaps that a supervisory authority could identify in a routine examination.
This guide sets out what Article 13 actually says, how it connects to the broader DORA framework, and what a proportionate training programme looks like in practice.
What Article 13 Actually Says
The relevant text of Article 13(6) of Regulation (EU) 2022/2554 states:
"Financial entities shall develop ICT security awareness programmes and digital operational resilience training as compulsory modules in their staff training schemes. Those programmes and training shall be applicable to all employees and to senior management staff, and shall have a level of complexity commensurate to the remit of their functions. Where appropriate, financial entities shall also include ICT third-party service providers in their relevant training schemes in accordance with Article 30(2), point (i)."
There are five operative elements in this text that deserve careful attention.
"Compulsory modules." This is not advisory language. The regulation requires financial entities to develop ICT security awareness and digital operational resilience training and to include them as compulsory components of their staff training schemes. The obligation is to create and mandate the training, not merely to make it available.
"Applicable to all employees and to senior management staff." The scope is universal within the entity. The regulation does not carve out non-technical functions, administrative roles, or junior staff. Every employee is within scope. Senior management is mentioned separately to emphasise that the obligation reaches the top of the organisation, not to limit it to the top.
"A level of complexity commensurate to the remit of their functions." This is the proportionality principle applied to training. A board member and a customer service representative both need training, but they do not need the same training. The content, depth, and assessment must be calibrated to the individual's role and responsibilities. A flat, one-size-fits-all programme does not satisfy this requirement.
"ICT security awareness programmes and digital operational resilience training." These are presented as two distinct categories, not synonyms. ICT security awareness addresses basic security hygiene, threat recognition, and safe behaviour. Digital operational resilience training addresses the broader framework — incident response, business continuity, third-party risk, and recovery planning. A programme that covers only cybersecurity awareness but not operational resilience may fall short of the article's full scope.
"Include ICT third-party service providers." Where appropriate, the training obligation extends beyond the entity's own workforce to the staff of third-party ICT providers. This reflects DORA's recognition that operational resilience depends on the entire service chain, not just the regulated entity.
The Link to Article 5: Governance Responsibility
Article 13 does not operate in isolation. It sits within a framework where training obligations are reinforced at the governance level by Article 5.
Article 5(4) requires members of the management body to "actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk" and to "follow specific training commensurate with the ICT risks being managed." This is a personal obligation on individual directors and senior executives, distinct from the organisational obligation in Article 13.
The relationship between the two articles creates a two-tier structure:
Article 13 establishes the organisational training obligation. The financial entity must develop compulsory training applicable to all staff, proportionate to their roles.
Article 5 establishes the governance training obligation. Members of the management body must individually maintain sufficient knowledge and skills to understand and assess ICT risk. They must follow specific, commensurate training — not just the general programme that applies to all staff.
This distinction matters in practice. An organisation that deploys a single awareness module to the entire workforce, including the board, has not satisfied Article 5. Board members need governance-specific training that addresses their ICT risk oversight responsibilities, their role in approving the ICT risk management framework, and their ability to challenge the assumptions embedded in the organisation's resilience arrangements.
Equally, an organisation that provides excellent board-level training but neglects the Article 13 all-staff obligation has a different gap. Both articles must be satisfied independently, though the programmes should be designed as a coherent whole.
The practical implication is that training programmes need at least two tiers: a broad programme that satisfies Article 13 for all staff, and a governance-specific programme that satisfies Article 5 for the management body. Most organisations will benefit from additional tiers for operationally exposed roles and vendor-facing staff, as discussed below.
The Link to Article 30: Third-Party Risk
Article 13 explicitly references Article 30 in its extension of training obligations to ICT third-party service providers. This connection is worth understanding because it creates training implications that many organisations overlook.
Article 30 sets out the key contractual provisions that must be included in arrangements with ICT third-party service providers. Among these, Article 30(2)(i) requires that contracts include provisions on the participation of ICT third-party providers in the entity's ICT security awareness programmes and digital operational resilience training.
In practical terms, this means:
Your vendor contracts should address training. If your agreements with critical ICT service providers do not include provisions for their staff to participate in relevant training, there is a contractual gap under Article 30.
Your internal training programme needs a third-party dimension. Staff who manage vendor relationships — procurement, business owners, operational teams that depend on outsourced services — need to understand the DORA third-party framework. They need to know what contractual provisions are required, what monitoring obligations exist, and how to escalate concerns about a provider's resilience posture.
Provider staff may need training too. Where a third-party provider's personnel interact with your ICT systems or play a role in your operational resilience, Article 13 envisages that they may be included in your training schemes. The "where appropriate" qualifier gives organisations discretion, but the default expectation is inclusion for critical and important providers.
This triangulation — Article 13's training obligation, Article 30's contractual requirements, and the broader third-party risk framework — means that training programme design must account for the entire service chain, not just the entity's own employees.
Mandatory vs. Recommended: Where the Line Falls
One of the most frequently asked questions about Article 13 is whether the training obligation is genuinely mandatory or merely recommended. The text answers this directly — the word "compulsory" is unambiguous — but the nuance lies in what the regulation mandates versus what it leaves to organisational discretion.
What is mandatory:
- Developing ICT security awareness programmes and digital operational resilience training.
- Including these as compulsory modules in staff training schemes.
- Applying the training to all employees and senior management.
- Calibrating complexity to the remit of each person's functions.
- Considering the inclusion of ICT third-party provider staff.
What is left to organisational discretion:
- The specific format of training (eLearning, simulation, classroom, blended).
- The frequency of training (though it must be ongoing, not one-off).
- The specific content and curriculum (within the scope of ICT security and digital operational resilience).
- The assessment methodology (though the evidence must demonstrate competence, not just completion).
- The delivery mechanism and technology platform.
The management body's obligation under Article 5 is more prescriptive — it requires "specific training commensurate with the ICT risks being managed" and the ability to "understand and assess ICT risk." This sets a higher bar for board-level training than for general staff, both in terms of content specificity and competence demonstration.
For supervisory purposes, the practical test is whether the organisation can demonstrate that it has a functioning, proportionate, ongoing training programme that covers all in-scope staff and produces evidence of role-appropriate competence. The format and methodology are the organisation's choice. The existence, coverage, proportionality, and evidence quality are not.
What a Proportionate Programme Looks Like
Proportionality under Article 13 means matching training depth to role exposure. A one-size-fits-all programme fails this test by definition, but so does an overly complex programme with dozens of bespoke paths that becomes unmanageable to administer and evidence.
The most practical approach organises training into a small number of tiers, each mapped to a category of DORA-relevant responsibility.
Tier 1: Universal awareness. All employees receive training on ICT security hygiene (password management, phishing recognition, device security), incident recognition and escalation basics, and a high-level understanding of DORA's purpose and the organisation's resilience framework. This tier should be short, accessible, role-contextualised where possible, and delivered at least annually. It satisfies the baseline Article 13 obligation for staff with no direct ICT risk management responsibilities.
Tier 2: Operational resilience. Staff whose functions are directly affected by ICT disruption — operations, finance, compliance, customer services, business continuity — receive additional training on incident response procedures, business continuity during ICT disruption, and their function's role in the organisation's recovery plans. This tier should include scenario-based elements that test decision-making in realistic operational contexts. Evidence should demonstrate applied competence, not just awareness.
Tier 3: Third-party risk. Procurement, vendor management, and business owners of outsourced ICT services receive training on DORA's third-party framework, contractual requirements under Article 30, ongoing monitoring obligations, and escalation procedures for provider performance or resilience concerns. This tier addresses the Article 13/Article 30 intersection and should produce evidence that relevant staff understand their role in the third-party risk management chain.
Tier 4: Governance. Members of the management body and senior managers with ICT risk oversight responsibilities receive training that satisfies both Article 13 and Article 5. This should include governance-specific scenarios — supervising the ICT risk framework, challenging resilience assumptions, making resource allocation decisions during a major incident — and must demonstrate the ability to "understand and assess ICT risk" as required by Article 5. This is the highest-evidence tier and should produce decision-level audit trails, not just completion records.
The tiers overlap. A chief operating officer might need training at all four levels. A branch employee might need only Tier 1. The architecture allows the organisation to demonstrate proportionate coverage while maintaining a manageable programme structure.
As we explored in our analysis of DORA training for non-technical employees, the key to making this proportionate approach work is framing the content around each audience's actual decisions and operational context, rather than delivering a uniform regulatory briefing at varying lengths.
Building the Evidence Base
Article 13 does not specify how training must be evidenced, but the broader regulatory context makes clear that evidence matters. Supervisory authorities examining an organisation's ICT risk management framework will expect documentation that supports three claims:
Coverage. All in-scope staff received training. This requires records that map training delivery to the organisation's employee population, disaggregated by role or function. Gaps in coverage — departments, seniority levels, or locations that were missed — are the most straightforward supervisory finding.
Proportionality. The training received by each individual was commensurate with their role. This requires records that show different training paths or content for different role categories, not a single module applied uniformly. The four-tier architecture described above makes this straightforward to document.
Competence. The training produced the required knowledge and skills. For Tier 1, completion records and basic assessment scores may suffice. For Tiers 2 through 4, where the competence standard is higher, assessment evidence should demonstrate applied capability — scenario decisions, case study analysis, simulation outcomes — not just information recall.
The organisations that will find supervisory examinations least stressful are those that can produce a single document showing: here are our DORA-relevant role categories, here is the training each category received, here is the competence evidence for each tier, and here is the cadence at which the programme is reviewed and updated. That document, supported by the underlying records, is what proportionate Article 13 compliance looks like on paper.
Practical Next Steps
Article 13 is not the most complex article in DORA, but it touches every employee in a financial entity. Getting it right requires deliberate programme design, not just procurement of a training product.
If your organisation has not yet mapped its DORA training obligations against its workforce, start there. Identify which roles fall into which tier. Assess whether your existing training programmes cover the relevant content or whether there are gaps — particularly for non-technical staff and for the governance tier.
The DORA compliance training programme at Blend is designed around the tiered approach described in this article, with role-specific learning paths that produce proportionate, audit-ready evidence at each level. It covers the full Article 13 scope — ICT security awareness and digital operational resilience — using scenario-based approaches that test applied competence rather than passive recall.
For a quick assessment of where your current programme stands against Article 13's requirements and the broader DORA training framework, the compliance training diagnostic takes about two minutes and gives you a structured view of your coverage and evidence gaps.
DORA is already enforceable. Article 13's training obligations are not a future requirement — they are a current one. The good news is that the article's requirements are clear, the proportionality principle is reasonable, and a well-structured programme does not need to be expensive or disruptive to build. It needs to be deliberate, documented, and designed for the people who will actually use it.