Contents
- ICT security awareness programmes
- Purpose and Integration into the ICT Risk Management Framework
- Scope and Applicability
- Required Content of ICT Security Awareness Programmes
- Delivery, Frequency, and Updating of the Programme
- Documentation, Evidence, and Audit Requirements
- Governance and Responsibilities
- Article 13 (6) DORA
- Article 5 (2)(g) DORA
ICT security awareness programmes
Purpose and Integration into the ICT Risk Management Framework
ICT security awareness programmes under Article 13(6) DORA are a mandatory, organisation-wide capability designed to ensure that all staff—including senior management—possess a level of ICT security competence commensurate with their roles. These programmes constitute a core control element of the ICT risk management framework:
- They must reinforce preventative controls (Article 9 DORA)
- Support detection and incident response (Articles 10 and 17 DORA)
- Strengthen ICT resilience through behavioural risk reduction, especially against social engineering, phishing, unauthorised access, and insider threats
- Address human-factor risk as a systemic part of digital operational resilience
Programmes must be compulsory, periodic, role-specific, and documented.
Scope and Applicability
Under Article 13(6), the programmes and trainings must apply to:
- All employees (operational, administrative, ICT, business units)
- Senior management staff
- ICT third-party service providers, where relevant, particularly those with access to ICT assets or information assets
- Any temporary staff, contractors, consultants, or outsourced personnel with logical or physical access to ICT assets
Training obligations must extend across entities on a consolidated or sub-consolidated basis where Article 6 applies at group level.
Required Content of ICT Security Awareness Programmes
Programmes must be comprehensive, risk-based, and aligned with the entity’s threat landscape, ICT environment, and critical or important functions. The content must include:
Basic Security Awareness (All staff)
- Secure handling of information assets and ICT assets
- Password hygiene and strong authentication principles
- Recognising phishing, social engineering, impersonation attacks
- Safe use of email, internet, collaboration tools
- Data protection obligations (availability, authenticity, integrity, confidentiality)
- Secure behaviour in remote work and teleworking settings
- Reporting channels for anomalous behaviour, ICS/ICT incidents, or suspicious emails (aligned with Article 23 RTS RMF)
Advanced Security Awareness (Staff with privileged or high-risk functions)
- Privileged access handling
- Identity and access management obligations (Article 20–21 RTS RMF)
- Secure configuration, endpoint hardening, and developer-oriented secure coding requirements
- Incident detection familiarity
- Awareness of ICT change management implications
- Third-party risk and cloud-specific security risks
Security Awareness for Senior Management
Training for senior management must be role-appropriate and focus on:
- Strategic ICT risk governance (Article 5(2))
- Oversight responsibilities for ICT risk, incident management, BCP/DR, and third-party oversight
- Understanding RTO/RPO, BIA outcomes, and digital operational resilience metrics
- Decision-making processes during ICT disruptions
- Resource allocation responsibilities, including budgets for training (Article 5(2)(g))
Security Awareness for ICT Third-Party Service Providers
Financial entities must include third-party providers, where appropriate, in their training schemes (Article 30(2)(i)).
Requirements include:
- Induction into entity-specific ICT security requirements
- Awareness of incident notification obligations
- Expected behaviour for confidentiality, access, and secure operations
- Alignment with contractual clauses under Article 28 DORA
Delivery, Frequency, and Updating of the Programme
Frequency
- Mandatory annual training for all staff
- Ad-hoc training triggered by major ICT incidents, updated threat intelligence, or policy changes
- Periodic refresher modules, aligned with risk profile and staff responsibilities
Delivery Formats
- E-learning modules
- Classroom training
- Role-based tabletop exercises
- Simulated phishing campaigns
- Crisis communication drills
- Targeted micro-trainings following observed incidents or near misses
Programmes must be flexible to accommodate different staff areas and access rights.
Continuous Evolution (Article 13 DORA)
Training must evolve based on:
- threat intelligence,
- internal incident analysis,
- audit findings,
- digital operational resilience testing results (Article 24–25 DORA),
- ICT risk assessment updates (RTS RMF Article 3),
- supervisory expectations.
Documentation, Evidence, and Audit Requirements
The financial entity must maintain:
- training records for all employees and third-party participants,
- evidence of completion and assessment results,
- schedules of recurring modules,
- versioning of training content,
- results of phishing simulations and metrics,
- remediation actions for staff failing mandatory assessments.
Internal audit must review:
- programme sufficiency,
- alignment with regulatory requirements,
- completeness of coverage,
- documentation quality,
- adherence to management body-approved policies.
Governance and Responsibilities
Under Article 5(2)(g) DORA, the management body must:
- approve the ICT security awareness programme,
- allocate sufficient budget, including for tools, simulations, and external training providers,
- periodically review and supervise the programme,
- ensure appropriate ICT skills across the entity,
- validate that training is risk-based and role-appropriate.
Operational responsibility typically lies with ICT security, HR learning & development, and CISO functions. The programme must be fully embedded in the ICT risk management framework (Article 6).