Contents
- Digital operational resilience training
- Purpose and Integration into the ICT Risk Management Framework
- Scope and Applicability
- Required Training Content for Digital Operational Resilience
- Delivery, Frequency, and Updating of Training
- Documentation and Audit Trail Requirements
- Governance and Responsibilities
- Article 13 (6) DORA
- Article 5 (2)(g) DORA
Digital operational resilience training
Purpose and Integration into the ICT Risk Management Framework
Digital operational resilience training under Article 13(6) DORA is a mandatory component of the ICT risk management framework. Unlike general security awareness, this training is specifically focused on the ability of the financial entity to prevent, withstand, respond to, and recover from ICT disruptions, including cyber-attacks, ICT failures, ICT third-party outages, and operational crises.
Training must:
- Enhance the entity’s resilience posture by strengthening staff readiness
- Support the execution of ICT response and recovery plans (Article 11)
- Enable early detection of anomalies and incidents (Articles 10 and 23 RTS RMF)
- Reinforce the design and operation of business continuity arrangements (Articles 11, 24–26)
- Integrate learnings from digital operational resilience tests (Article 24–25) and audit findings
- Address behavioural and procedural elements necessary for coordinated crisis response
It is therefore a systemic component of the institution’s digital operational resilience capabilities.
Scope and Applicability
The training must be compulsory for:
- All employees
- Senior management staff, with specific training matching their governance responsibilities
- ICT third-party service providers, where appropriate, particularly those supporting critical or important functions
- Contractors, consultants and outsourced staff with access to ICT assets or involvement in resilience processes
Training obligations apply across the group where the ICT risk management framework is implemented on a consolidated or sub-consolidated basis (Article 6).
Required Training Content for Digital Operational Resilience
Training programmes must be risk-based and tailored to the function, seniority, and exposure of participants. They must cover the following domains:
Core Resilience Modules (mandatory for all staff)
- Fundamentals of digital operational resilience
- The entity’s ICT risk management structure and objectives
- Basic incident identification and reporting responsibilities
- Expected behaviour during ICT disruptions and crisis events
- Understanding the role of BCP, ICT BCP, and ICT response and recovery plans
- How to escalate issues via designated channels
- Behavioural guidelines during system outages, cyber-attacks, or suspicious events
Role-Specific Resilience Training
For staff involved in ICT operations, risk management, business continuity, or ICT security functions:
- Execution and activation steps for ICT response and recovery plans
- How to support switchover to backup systems, redundant capacity, or secondary sites (Article 12 & 25)
- Incident classification, triage, and prioritisation
- Logging, monitoring, and anomalous activity detection
- Crisis communication procedures (Article 14)
- Digital operational resilience testing methodologies (scenario-based testing, TLPT-inspired testing)
- Third-party dependency handling during ICT disruptions
Senior Management Resilience Training
Training for senior management must reflect their statutory responsibilities under Article 5(2):
- Governance, strategy, and oversight obligations
- Decision-making during ICT disruptions or crises
- Reviewing and approving ICT BCP and ICT response/recovery plans
- Understanding ICT risk tolerance and impact-tolerance thresholds
- Effective oversight of ICT third-party resilience and concentration risk
- Interpreting resilience metrics, KRIs, KPIs, and test results
- Resource allocation obligations for achieving resilience (Article 5(2)(g))
Training for ICT Third-Party Service Providers
Where required by Article 30(2)(i) DORA:
- Familiarisation with the financial entity’s ICT response and recovery requirements
- Incident detection and notification obligations
- Expected behaviour during ICT disruptions affecting critical functions
- Alignment with the entity’s BCP and response/recovery expectations
- Data confidentiality and secure operations expectations
Delivery, Frequency, and Updating of Training
Frequency Requirements
- Mandatory annual training for all employees
- More frequent, function-specific training for ICT, BCP, security, and incident response teams
- Event-driven training after major ICT incidents or supervisory findings
- Post-test training reflecting outcomes of resilience testing (Article 24–25)
Delivery Methods
- Workshops, drills, tabletop exercises, and functional rehearsals
- Incident simulation exercises, incl. cyber-attack scenarios
- Digital modules and e-learning
- Group-wide crisis management exercises
- TLPT-aligned exercises (where applicable)
Continuous Development
Training must be continuously updated to reflect:
- New or emerging cyber threats
- Changes to the ICT architecture or critical functions
- Lessons learned from ICT incidents
- Audit findings
- Supervisory reviews
- Digital operational resilience testing results
Documentation and Audit Trail Requirements
Financial entities must maintain:
- Attendance records for all staff and third-party participants
- Completion certificates and test scores (where applicable)
- Evidence of scenario-based training and simulation exercises
- Version control for training materials
- Annual training plans and calendars
- Records of mandatory training non-completion and remediation actions
Internal audit must assess:
- Scope and sufficiency of the digital operational resilience training
- Alignment with regulatory requirements and risk profile
- Effectiveness of training in building resilience
- Adequacy of documentation and evidence
Governance and Responsibilities
Under Article 5(2)(g) DORA, the management body must:
- Define, approve, and oversee digital operational resilience training
- Provide adequate budget and resources for the training programme
- Ensure that training aligns with the ICT risk management framework (Article 6)
- Review training content periodically
- Ensure senior management itself completes the required modules
Operational ownership typically lies with ICT risk, ICT security, business continuity, and HR learning & development, under the oversight of the CISO or equivalent function.