DORA Compliance Training

Done-for-you DORA training for your financial services team

We deliver mandatory DORA training across your workforce — ICT risk management, third-party ICT risk, incident reporting, digital operational resilience testing, and threat-led penetration testing. Managed rollout, audit-ready evidence accepted by EBA, ESMA, EIOPA, and national supervisors. Live for your team in under a week.

100,000+ professionals trained

Audit-ready (EBA, ESMA, EIOPA)

Live for your team in 5 business days

Dedicated customer success manager

Used by financial entities & ICT third-party providers

Browse the Course Catalog

Get a custom training quote

Tell us your team size — receive a tailored proposal within 1 business day.

Trusted by Compliance Teams at Leading Organizations

IKEA

Roche

Coca-Cola

Samsung

Huawei

Microsoft

JPMorgan Chase

Volkswagen

Shell

Nestlé

Siemens

BMW

Unilever

AXA

Lufthansa

Pfizer

Adidas

IKEA

Roche

Coca-Cola

Samsung

Huawei

Microsoft

JPMorgan Chase

Volkswagen

Shell

Nestlé

Siemens

BMW

Unilever

AXA

Lufthansa

Pfizer

Adidas

The cost of getting this wrong

Staff training is your first line of defence — and the first piece of evidence regulators ask for.

of average daily worldwide turnover

DORA periodic penalty payments — applicable each day until compliance is achieved

Jan 2025

DORA enforcement is live

Regulation 2022/2554 has applied since 17 January 2025 — no grace period for staff training

Personal

liability for management body members

Article 5 makes the management body accountable for ICT risk governance and resilience

Why DORA training is mandatory — not optional

DORA Article 13(6) explicitly requires financial entities to develop ICT-related awareness programs and digital operational resilience training as compulsory modules in their staff training schemes. Article 5 makes the management body responsible for the ICT risk-management framework — and personally accountable. The regulation applies to ~22,000 financial entities across the EU plus their critical ICT third-party providers, with no transitional carve-outs after 17 January 2025.

Article 13(6) — financial entities must include ICT-related awareness and resilience training as compulsory staff training, with documented evidence

Article 5 — management bodies are personally accountable for the ICT risk-management framework and its training components

Article 14 — communication strategies for ICT incidents require staff trained on internal and external escalation

Article 28 — third-party ICT risk obligations cascade training requirements to your critical providers

Your training program covers every DORA pillar

Curated from our full library and tailored to your entity type (credit institution, payment institution, investment firm, insurer, crypto-asset service provider, ICT third-party), your size, and your role under the regulation — you don't pick modules from a menu, we propose the right curriculum.

DORA scope, entity types, and proportionality principle

ICT risk-management framework (Article 5–16)

Article 13(6) workforce awareness & resilience training

ICT-related incident classification and reporting (Article 17–23)

Major ICT incident reporting timelines (initial, intermediate, final)

Digital operational resilience testing (Article 24–27)

Threat-led penetration testing (TLPT) for significant entities

Third-party ICT risk: register, contracts, exit strategies (Article 28–44)

Critical ICT third-party provider oversight

Information sharing arrangements & cyber threat intelligence

Not sure what your team needs?

Free proposal — within 1 business day

We curate the right modules for each part of your team

All Employees

ICT & Security Teams

Third-Party Risk

Management Body

Incident Response

ICT Third-Party Providers

What every enterprise rollout includes

Managed rollout in 5 business days

Dedicated customer success manager handles enrolment, role mapping, kickoff communications, and reminder cadence.

Article 13(6) audit-ready evidence

Dated certificates per learner, exportable completion logs, and management-body training records that meet supervisor documentation expectations.

Manager dashboard & reporting

Track completion across teams, business lines, and ICT third-party providers. Export evidence packages for EBA, ESMA, EIOPA, and national authorities.

Single sign-on (SSO) & SCIM

SAML 2.0, OIDC, and SCIM provisioning. New joiners enrolled automatically. Leavers de-provisioned. Zero admin overhead.

Annual refresher cycle built-in

Multi-year licensing rolls learners forward each year with content updates as ESAs publish technical standards (RTS/ITS) and supervisor guidance.

Custom modules & policy attestations

Your logo on certificates, co-branded learner emails, and the option to attach your ICT risk policy, incident response plan, or third-party register procedure to any module.

Enterprise Rollout

Designed for financial entities rolling out DORA training to 25 — 5,000+ employees

We don't sell self-checkout seats to financial enterprises. We propose a curated curriculum based on your entity type and your DORA proportionality category, manage the rollout, and hand you an evidence package your supervisor will accept on the first review.

Curriculum tailored to entity type (credit institution, payment, investment, insurer, CASP, ICT TPP)
Up to 40% off list price at 25, 50, 100, 250, and 500+ seats
Article 5 management-body briefing (45 min) included
Group-level rollouts supported across multiple member states and entities
Evidence package for EBA / ESMA / EIOPA / national supervisor review

What customers say

“DORA enforcement landed in January 2025 and we needed Article 13(6) training documented across the entire workforce within weeks. The managed rollout delivered audit-ready evidence — and the management-body briefing covered Article 5 personal-liability points exactly the way our board needed.”

Group CISO, JPMorgan Chase

Banking — 1,200+ employees trained

“We're an insurer subject to DORA plus our ICT third-party providers fall in scope. The training program covered both — and the per-entity completion reports plugged straight into our supervisor submission.”

Head of Operational Resilience, AXA

Insurance — 800+ employees trained

Frequently Asked Questions

Is DORA training legally required?

Yes — Article 13(6) of Regulation (EU) 2022/2554 explicitly requires financial entities to develop ICT-related awareness programs and digital operational resilience training as compulsory modules in their staff training schemes, with proportionality applied to entity size and risk profile. The regulation has applied since 17 January 2025 with no transitional period for staff training. Supervisors expect documented evidence on first audit.

Who does DORA apply to?

DORA applies to ~22,000 financial entities across the EU — credit institutions, payment and e-money institutions, investment firms, crypto-asset service providers, insurers, reinsurers, intermediaries, AIFMs, UCITS management companies, central counterparties, trading venues, central securities depositories, and others — plus their critical ICT third-party providers (CTPPs) which fall under direct ESA oversight. Proportionality applies to firms below thresholds, but training requirements still apply.

How does DORA differ from NIS2?

DORA is a regulation (directly applicable, no national transposition) specifically for the financial sector, while NIS2 is a directive transposed into national law applying broadly across 18 sectors. Where both apply, DORA takes precedence (lex specialis). Many financial firms must train staff to satisfy both — our curriculum covers the overlap so you don't run two programs.

How long does a typical enterprise rollout take?

Most rollouts are live for the workforce within 5 business days of contract signature. Group-level rollouts (multiple entities across member states) typically take 7–10 business days due to per-entity setup, but each entity completes independently.

Do you cover the Article 5 management-body training expectation?

Yes — every enterprise rollout includes a 45-minute management-body briefing covering Article 5 governance obligations, personal accountability, ICT risk-management framework, and reporting to the supervisory function. Designed to satisfy supervisor expectations of board-level training without taking a full day.

How does pricing work for a team of 1,000 employees?

Enterprise pricing is volume-based with discount tiers at 25, 50, 100, 250, and 500+ seats. A 1,000-seat rollout typically lands 40% below list price. Multi-year terms unlock further discounts and include the annual refresher cycle plus content updates as ESA technical standards (RTS/ITS) are published and revised.

Can we add custom modules — e.g. our ICT risk policy?

Yes. We routinely add policy attestations and custom modules: ICT risk policies, incident response plans, third-party register procedures, business continuity playbooks. Your CSM scopes the additions during onboarding.

Do you offer single sign-on and SCIM?

Yes — SAML 2.0, OIDC, and SCIM provisioning are included on enterprise plans. New joiners are auto-enrolled into the right modules based on department; leavers are de-provisioned automatically.

Can we white-label certificates and learner emails?

Yes — your logo is added to certificates and learner-facing emails on every enterprise plan. Single-tenant white-label and custom domain are available on request.

Related guides

Financial Crime

DORA Compliance and Training for Financial Services: The Complete Guide for 2026

Cybersecurity

NIS2 Directive: Who Must Comply? The Definitive Guide to Scope, Sectors, and Obligations in 2026

Education

Compliance Glossary: Key Terms and Definitions 2026

Ready to brief us on your team rollout?

Tell us your entity type (credit institution, payment, investment, insurer, CASP, ICT TPP), your DORA proportionality category, and your headcount. We'll come back with a curriculum proposal, pricing, and a rollout plan within 1 business day.

Free proposal · response within 1 business day

Done-for-you DORA training for your financial services team

Why DORA training is mandatory — not optional

Ready to brief us on your team rollout?

Free proposal · response within 1 business day