Blend
EN/ES
Compliance Training 28 March 2026

DORA Compliance Training: What Financial Institutions Actually Need in 2026

DORA compliance training requirements explained for financial institutions in 2026. What Articles 5, 13, 17 and 19 actually require, and how to prepare your teams.

By Tom Payani

DORA compliance training is one of those phrases that means completely different things depending on who you ask. Ask a cybersecurity vendor and you'll hear about phishing simulations and password hygiene. Ask a consultant and you'll hear about facilitated tabletop exercises. Ask a supervisory authority and you'll hear about incident classification, notification timelines, and whether your management body can demonstrate genuine oversight of ICT risk.

The Digital Operational Resilience Act has been in force since January 2025. Supervisory examinations are underway. The gap between what most financial institutions have done for training and what the regulation actually requires is, in many cases, significant.

This post sets out what DORA's training requirements genuinely demand, where common approaches fall short, and what a programme that would satisfy a competent authority actually looks like.

What DORA Actually Requires for Training

The regulation is specific about training in four places. Reading the articles together tells you what supervisors will test for.

Article 5 places responsibility for ICT risk management squarely with the management body. Board members and senior executives must not only approve the ICT risk framework, they must "acquire and maintain sufficient knowledge and skills" to understand and assess ICT risk. This is not a delegation. The board cannot point to the CISO and consider itself covered. Supervisory examinations will interview the management body directly.

Article 13(6) requires financial entities to develop ICT security awareness programmes and digital operational resilience training. These must be mandatory, must apply to all staff with ICT responsibilities, and must be delivered regularly. The article does not specify format, but it does require that the training address the actual risk landscape. Generic awareness modules satisfy the letter of this requirement. They do not satisfy its spirit, and competent authorities who examine your training evidence will notice the difference.

Article 17 is where most institutions underestimate what is expected. It requires financial entities to define, establish, and implement an ICT-related incident management process, including classification procedures. Critically, it requires that staff responsible for incident response can actually execute the process under pressure. The classification criteria for "major incidents" are objective: user numbers affected, geographic spread, duration, economic impact, reputational consequence. Getting the classification wrong starts the clock running late, or not at all.

Article 19 sets the notification timelines. Once a major ICT incident is classified, the initial notification goes to the competent authority within four hours. The intermediate report follows within 72 hours. The final report arrives within one month. These are not targets. They are legal obligations. If your operations team has never practised filing against a four-hour clock with incomplete information, they have not trained for Article 19. They have read about it.

Why Scenario-Based Testing Is Not the Same as Awareness Training

This distinction matters enough to be direct about it.

An awareness module tells a compliance officer that a major ICT incident must be classified within a defined timeframe. A scenario puts that same compliance officer in front of a degrading payment gateway at 9:47 on a month-end Friday. The cloud provider's status page says "investigating." 14,000 merchants are affected. The CEO is on a plane. The four-hour clock is running.

The first format produces knowledge. The second produces the ability to act.

Article 17 does not say staff should be aware of the incident classification criteria. It says financial entities must establish an ICT incident management process and ensure it can be executed. A supervisory authority examining your programme will want to see evidence of tested capability, not slides about the regulation.

The distinction also matters commercially. Financial institutions buying e-learning compliance packages for DORA should ask whether what they are buying addresses Article 13(6) awareness requirements, Article 17 process capability requirements, or both. They are not the same thing, and the evidence they produce for supervisors looks quite different.

What Tabletop Exercises Do Well (and Where They Fall Short)

Consultant-facilitated tabletop exercises remain the most rigorous way to test an institution's incident response capability at the leadership level. When a good facilitator runs a realistic vendor failure scenario with the right people in the room, a bank learns things about its own processes that no LMS course will reveal. Decision-making under pressure, communication breakdowns, unclear ownership between IT and compliance, the gap between the documented procedure and the actual one: all of these surface in a well-run exercise.

The limitation is structural, not qualitative.

A typical tabletop exercise costs between EUR 3,000 and EUR 10,000 to run. It involves 8 to 15 people, takes the better part of a day, and happens once or twice a year. That covers a fraction of the staff who need Article 17 and Article 19 capability. The Head of Operations attends. The 23 compliance officers and payments specialists who will actually be first responders on a month-end outage do not.

There is also a coverage problem. Tabletop exercises typically address one scenario per session. DORA's risk surface covers ICT incident response, third-party concentration risk, TLPT management, exit strategy activation, and board-level supervisory examination. Getting adequate coverage across all five areas at tabletop frequency would require a training budget most compliance teams do not have.

The practical answer is not to choose between formats. Facilitated exercises test leadership-level decision-making and reveal systemic process gaps. Scenario-based digital training brings Article 17 capability to the full population of first responders, provides evidence of completion and performance at scale, and allows repeated practice. They serve different purposes and belong in the same programme.

What Good DORA Compliance Training Looks Like in Practice

There are four areas where training needs to go beyond awareness if it is going to produce supervisory evidence worth anything.

Incident classification. Staff responsible for incident response need to be able to apply DORA's classification criteria in real conditions: under time pressure, with incomplete information, and with a decision tree they have actually used before. Training should put them through the classification logic on realistic scenarios, not describe it in a slide.

The four-hour notification clock. Filing an initial notification to the competent authority within four hours of classification requires pre-approved templates, a clear chain of sign-off, 24/7 coverage, and practice. Training should include the actual mechanics of filing: who authorises the notification, what goes in it at the initial stage, and what happens when the relevant person is unavailable. Many institutions have documented the process. Very few have tested it.

Third-party risk and vendor accountability. Articles 28 to 30 create detailed requirements around ICT third-party risk management, including contractual rights, concentration risk assessment, and exit strategies. When a critical cloud provider goes down or is acquired by a competitor, the relevant staff need to understand where their DORA obligations sit regardless of what the vendor is or is not doing. Training that does not address vendor scenarios leaves a significant gap.

Board reporting on ICT risk. Article 5 requires the management body to actively oversee ICT risk. Training for board members and senior executives should cover what they are expected to know, what questions they should be asking, and how to respond credibly when a competent authority examines them on ICT governance. This is a distinct training need from operational incident response, and it is frequently neglected.

Self-Assessment: Is Your Training Programme Examination-Ready?

The following questions are adapted from what supervisory examination teams will look at. Honest answers will tell you where your programme has gaps.

  1. Incident classification. Do the staff who will be first responders to an ICT incident have a documented decision tree for classifying it as major? Have they used it under time pressure in a test or training scenario, with the results recorded?

  2. Notification process. Can your team file an initial notification to your competent authority within four hours of classification? Do you have pre-approved templates, a clear sign-off chain, and coverage for evenings and weekends?

  3. Board-level knowledge. If your competent authority interviewed your management body about ICT risk, could they articulate the current threat landscape, the top ICT concentration risks in your portfolio, and the status of your TLPT programme?

  4. Third-party scenarios. Has your training included at least one scenario involving a vendor outage or service failure that required your team to apply DORA obligations without relying on the vendor to take the lead?

  5. Evidence of completion. Do you have records showing which staff completed which training, when, and with what scores? Is that evidence structured well enough to present to an examiner quickly?

  6. Coverage of first responders. Does your scenario-based ICT incident training reach the compliance officers, payments operations teams, and risk functions who will actually be involved in a real incident, or only the senior leadership who attend tabletop exercises?

  7. Programme cadence. Is your training programme updated to reflect changes in your ICT infrastructure, your third-party portfolio, and supervisory guidance? Or was it built once when DORA came into force and has not been reviewed since?

If you answered "no" or "not sure" to three or more of these, you have material gaps. The DORA Readiness Calculator will give you a more detailed picture across all five DORA compliance areas.

Preparing for What Supervisors Will Actually Check

The institutions that will come through supervisory examinations well are not the ones that built the thickest compliance documentation folders. They are the ones where the relevant people have practised.

Practised incident classification on a realistic timeline. Practised filing a notification under pressure. Practised a conversation with an examiner about ICT concentration risk. Practised the moment when the exit plan has to be activated and turns out to have gaps.

Training is not a substitute for good ICT risk infrastructure. But without training, even well-designed infrastructure fails at the human decision points. DORA's requirements reflect that. The four-hour clock, the classification criteria, the board knowledge requirements: all of them are ultimately about whether people can perform when it matters.

If you want to see what that training looks like in practice, the DORA scenario demo puts you in the Head of Compliance seat during a live outage. It takes 15 minutes and requires no registration.

For a structured view of where your institution stands, the DORA Readiness Calculator takes seven minutes and produces a prioritised gap assessment you can share with your senior team.

DORA compliance training financial services scenario-based testing ICT incident regulatory compliance

DORA Training Self-Assessment Checklist

7 questions mapped to supervisory examination points. Check your programme against what examiners will actually look for.

Free: AI Training Audit for Your Team

See where AI could improve your training programs. Interactive 5-minute assessment.

Start the Audit
← Back to all posts