How to choose DORA training: a buyer's guide for financial entities
DORA has applied since 17 January 2025. Five pillars, twenty in-scope financial entity categories, a 4-hour incident-reporting clock, a Register of Information that most firms failed at first attempt, and direct ESA oversight of critical ICT third-party providers. Article 13(6) makes operational resilience training compulsory. This guide walks through what to train on, how formats compare, and what supervisors will look for at examination.
What DORA actually requires you to train on
Article 13(6) requires entities to develop ICT security awareness programmes and digital operational resilience training as compulsory modules in their staff training, applicable to all employees and senior management. Article 5(4) requires the management body to maintain sufficient knowledge and skills to understand and assess ICT risk and its impact on operations. The training duty is short on prescribed content; the practical scope is set by the five pillars.
Pillar 1: ICT risk management (Articles 6-16) requires a documented governance framework, identification and protection of ICT assets, detection capabilities, response and recovery, and learning from incidents. Pillar 2: incident reporting (Articles 17-23) imposes the 4-hour, 72-hour, and 1-month reporting cycle for major ICT-related incidents. Pillar 3: digital operational resilience testing (Articles 24-27) covers vulnerability assessments, network security tests, scenario-based tests, and TLPT for significant entities. Pillar 4: ICT third-party risk (Articles 28-44) imposes contractual due diligence, the Register of Information, sub-outsourcing rules, exit strategies, and direct oversight of CTPPs. Pillar 5: information sharing (Article 45) covers voluntary sharing of cyber threat intelligence between entities.
Translating into training: a baseline ICT awareness module for all staff, role-tailored modules for the CISO function, incident response team, ICT third-party risk team, and ICT continuity team, an Article 5 governance module for the management body, and exercise-based training for incident response practising the 4-hour reporting clock under time pressure.
Eight questions to ask any provider
Are the five pillars covered specifically? A course that lists 'DORA' as a topic in a broader compliance bundle is awareness content. The five pillars need to be taught in depth.
Is the 4-hour incident-reporting cycle practised? The cycle is where firms most often surface gaps under live pressure. Tabletop or scenario practice is essential.
Does the course cover the Register of Information work in detail? The 2025 ESA dry-run showed this is the part most firms struggle with operationally.
Are there role-specific paths? Board, CISO, incident response, ICT third-party risk, and general staff need different content.
Has the content been legally reviewed? Qualified EU financial services counsel is the credibility floor.
How are content updates handled? The ESAs continue to issue technical standards and clarifications through 2026 and beyond.
Is the course available in our operating languages? Pan-European entities need consistent training in every operating language.
Is it SCORM 1.2 ready? Anything else means a separate platform login per learner.
Reporting cycle compliance, regulator interface, public disclosure obligations
What supervisors look for at examination
Competent authorities began routine supervision from 17 January 2025. Examination focus areas in 2025-2026 have included the Register of Information (the largest single source of findings), the 4-hour reporting workflow (most firms have a documented process; fewer have practised it), ICT third-party concentration risk, exit strategies, and management body knowledge under Article 5. The questions a firm should be ready to answer: do you have a documented ICT security awareness programme; can you produce per-learner completion evidence; was the training role-appropriate; is incident response practised; did the management body participate; can the Article 5 board questions be answered by named members.
A phishing-only training programme does not answer those questions. A scenario-based programme practising the 4-hour cycle, combined with role-tailored modules and Article 5 board sessions, does.
How Blend Training approaches DORA
Blend's DORA course is a scenario-based programme that puts learners in the Head of Compliance seat during a critical vendor outage on month-end, with the 4-hour clock running. It covers incident classification, the reporting cycle, Register of Information work, ICT third-party accountability, and the supervisory examination perspective. A German-language version is available for entities operating in Germany and Austria.
Content is reviewed and signed off by qualified EU financial services counsel. Updates are included in the annual licence. Pricing follows the standard tier model: €690 per year (up to 50 staff), €1,490 (up to 250), €3,990 (up to 1,000), and from €15,000 per engagement for bespoke programmes that map to the entity's specific Register of Information and incident playbook. SCORM 1.2 packages, deployable to any LMS in minutes.
What does DORA require financial entities to train on?
Article 13(6) requires entities to develop ICT security awareness programmes and digital operational resilience training as compulsory modules in their staff training, applicable to all employees and senior management. Practical scope should cover: the five pillars (ICT risk management, incident classification and reporting, digital operational resilience testing, ICT third-party risk, information sharing); the Article 19 incident reporting cycle (4 hours initial, 72 hours intermediate, one month final); the Register of Information requirement under Article 28; the threat-led penetration testing regime for significant entities (Articles 26-27); the management body responsibility under Article 5; basic cyber hygiene and incident detection for all staff; deeper modules for incident classification teams, ICT third-party risk managers, and ICT continuity teams.
Is DORA training mandatory by law?
Yes. Article 13(6) explicitly requires DORA training as a compulsory part of staff training. Article 5(4) requires that management body members maintain sufficient knowledge and skills to understand and assess ICT risk and its impact on operations. The competent authority can examine training programmes during supervisory examination. Penalties under each Member State transposition vary but follow the sectoral framework (CRD, MiFID, Solvency II, etc) and can include fines, withdrawal of authorisation, and personal liability for senior management.
When did DORA enforcement begin?
DORA applied from 17 January 2025. There was no phased rollout: all five pillars and the corresponding penalty framework entered into force on the same date. Competent authorities began supervisory examinations from that date. The ESAs ran a 2025 dry-run of the Register of Information submission in which the overwhelming majority of submitted Registers failed quality checks, prompting widespread remediation programmes through 2025-2026.
Who is a critical ICT third-party service provider (CTPP) and why does that matter for training?
CTPPs are ICT third-party providers designated by the ESAs as systemically important to the EU financial sector. Designation is based on systemic impact if the provider failed, the number and combined size of financial entities relying on the provider, and substitutability. Designated CTPPs come under direct oversight by an ESA Lead Overseer. For financial entities, the practical effect is heightened due-diligence on contractual arrangements with CTPPs and accelerated supervisory expectations on the documented Register of Information entries. Training for ICT third-party risk teams should cover CTPP identification, the consequences of CTPP designation for the contractual relationship, and the supervisory access rights under Articles 32-34.
What is the DORA 4-hour incident reporting deadline in practice?
Under Article 19 and the Commission Delegated Regulation classifying major ICT-related incidents, an entity must submit an initial notification to the competent authority within 4 hours of the incident being classified as major. The clock starts at classification, not detection. The classification framework uses materiality thresholds: clients affected, financial loss, geographical spread, duration, criticality of services impacted, and reputational impact. The 72-hour intermediate report must include refined information about the incident's impact and the response. The one-month final report must include root cause analysis and the remediation plan. The cycle is high-pressure, document-heavy, and is the part of DORA most likely to surface training gaps.
Who needs threat-led penetration testing (TLPT) training?
TLPT under Articles 26-27 is mandatory for entities designated as significant by the competent authority. Designation criteria include size, systemic importance, ICT risk profile, and business-as-usual ICT exposure. Designated entities must conduct TLPT at least every three years, following the TIBER-EU framework or an equivalent national framework, using accredited testers. Internal teams running TLPT (the white team coordinating the test) need specialist training on the TLPT methodology, threat intelligence integration, and the relationship with the competent authority. Operational teams in scope need exercise training so they respond to the live test as they would to a real incident.
What formats does DORA training come in?
Four main formats. (1) Free guidance from the ESAs (EBA, EIOPA, ESMA), national competent authorities, and industry bodies. Useful as background; not sufficient on its own for supervisory evidence. (2) Awareness e-learning bundled with broader financial-services compliance subscriptions. Often shallow on DORA-specific content. (3) Scenario-based e-learning that puts learners in the Head of Compliance, CISO, or incident response lead seat during a live ICT incident with the 4-hour clock running. (4) Live workshops, particularly for board governance training, Register of Information work, and tabletop exercises ahead of supervisory examination.
How much does DORA training cost?
Bundled financial-services compliance subscriptions: €15-€40 per learner per year, usually thin on DORA specifics. Scenario-based DORA courses: €690 to €3,990 per organisation per year on a tiered licence. Bespoke programmes tailored to the entity's Register of Information, ICT third-party landscape, and incident response playbook: from €15,000 per engagement. Live tabletop exercises and TLPT simulation training: €5,000 to €20,000 per session, depending on scenario complexity and instructor seniority. For significant entities preparing for TIBER-EU-style TLPT, specialist threat-intelligence-led red-team services start at €100,000 per engagement.
What should I ask any DORA training provider?
(1) Are the five DORA pillars covered specifically, or only mentioned at a level of general awareness? (2) Is the Article 19 incident reporting cycle practised, not just described? (3) Does the course cover the Register of Information work in detail? (4) Are there role-specific paths for board, CISO, incident response, ICT third-party risk, and general staff? (5) Has the content been legally reviewed by qualified EU financial services counsel? (6) How are content updates handled when the ESAs issue new guidance or technical standards? (7) Is the course available in our operating languages? (8) Is it SCORM 1.2 ready?
Who in my financial entity needs DORA training?
All staff need a baseline ICT security awareness module. The management body needs Article 5 governance training and personal-accountability awareness. The CISO and ICT risk management function need deep training on the Article 6-15 ICT risk management requirements. Incident response teams need Article 17-23 scenario training under the 4-hour clock. ICT third-party risk teams need Article 28-30 contractual due-diligence and Register of Information training. Significant entities additionally need TLPT-readiness training for the white team and exercise training for in-scope operational teams. Communications and legal need incident-response cycle training for the regulator interface and any public disclosure obligations.
