Skip to content
Login to the app
  • There are no suggestions because the search field is empty.

How CyberPilot can help you with DORA

CyberPilot can help you meet several of the requirements laid out in DORA

Summary

DORA requires financial entities to manage ICT risks effectively and ensure that employees understand the cyber threats and responsibilities relevant to their roles. 
CyberPilot can help by providing help with the parts of DORA that relate to training and awareness: 

  • Awareness training gives employees a baseline understanding of cybersecurity risks. 
  • Phishing training helps test and improve an organization’s ability to withstand phishing attacks, supporting its overall operational resilience. 
  • Role-specific training makes sure different groups receive the training relevant to their responsibilities. 
  • Internal policies can be uploaded and distributed directly in the CP app, ensuring employees read and acknowledge them. 

In addition, organizations must also live up to the remaining DORA obligations such as incident reporting, resilience testing, and managing ICT third-party risks. 

 

Contents

In this article, we cover: 

 

DORA overview 

The Digital Operational Resilience Act (DORA) is an EU regulation that aims to strengthen the cybersecurity and digital resilience of the financial sector, e.g., banks, insurance companies, and investment firms. 

DORA sets requirements in six main areas that together define how financial entities prevent, withstand, and recover from ICT-related disruptions: 

  1. ICT risk management 
    Organizations must establish an ICT risk management framework, including governance, controls, business continuity, and disaster recovery. 
  2. ICT third-party risk management 
    Risks related to ICT service providers must be identified, monitored, and managed. 
  3. Digital operational resilience testing 
    ICT systems must be tested regularly - from basic assessments to more advanced, threat-led testing for larger or critical institutions. 
  4. ICT-related incidents 
    Entities must detect, classify, and manage ICT incidents effectively, ensuring they are logged and handled consistently. 
  5. Information and intelligence sharing 
    Financial entities are encouraged to exchange cyber threat intelligence to strengthen collective resilience within the sector. 
  6. Oversight of critical third-party providers 
    DORA introduces an EU-level oversight framework for critical ICT third-party providers, such as major cloud and technology services. 

 

Training requirements under DORA 

Financial entities under DORA must ensure that their employees understand ICT-related risks and receive the right training for their specific roles. This includes both general security awareness and the skills needed to support operational resilience. 

CyberPilot can help with this requirement. 

 

How CyberPilot can help you meet these requirements 

Our awareness training provides a solid foundation for the general security awareness required under DORA. It helps employees understand common cybersecurity risks and promotes secure digital behavior across the organization. This covers the majority of the training expectations and can be distributed in a role-based training plan. 

Our phishing training contributes to strengthening operational resilience by helping organizations assess and improve their ability to withstand phishing attacks. The insights gained from phishing training can support the organization’s broader ICT risk management activities, which is an essential part of working with DORA

 

Steps 

What your organization should do 

Provide general awareness training to all employees 

Start with continuous, organization-wide awareness training so everyone understands basic ICT risks and secure digital behavior. 

Provide continuous phishing training 

Run phishing simulations at regular intervals to build resilience and ensure employees can recognize and respond to phishing attempts. 

Identify high-risk roles and create role-specific training 

Define which groups (e.g., management, IT staff, privileged users) need deeper or additional training in specific topics.  
Use our Training Planner to create appropriate role-specific training (see Role-specific training below). 

Conduct an ICT risk analysis 

Conduct a DORA specific risk analysis to identify your organization’s biggest vulnerabilities, threats, and exposure areas. Ensure management understands the results. 

Pick out relevant courses based on the risk assessment for employees working with those areas.   

Adjust and expand training based on the risk analysis 

 

Use the risk assessment results to add targeted training where needed (e.g., device security, social engineering, remote work). 

Ensure employees understand and follow internal policies and procedure 

Upload your internal policies and guidelines to our platform under “Own Materials” and include them in your training plans.  

This ensures that employees receive, read, and acknowledge them as part of their learning. 

Note: This overview does not cover every aspect of DORA compliance, only those aspects that relate to training and awareness. 

For the remaining areas, organizations can build on top of our courses with their own advanced or workshop-based learning. 

 

Role-specific training  

Training should be specific to the recipient’s role and responsibilities.  

You can accomplish this in CyberPilot by creating specific training plans for specific groups within your organization.  

  1. First, identify which key roles in your organization might need particular training.  
  2. Now, make sure employees in these roles are set up in Groups or Branches on the CyberPilot App. Read this guide for how to set up Groups and Branches
    1. E.g., you could create Groups called “Management”, “IT staff” or “Employees with company-issued phones”.  
  3. Next, go to the Training Planner and set up training plans for each of these groups with relevant courses. 
    1. See our Recommended training plans below if you want some inspiration about what courses to use. 

 

Using CyberPilot to enroll your own trainings 

You can also upload your own training to the CyberPilot App, where you can then enroll users and track completions. Here’s how to do that.

Another way to do this is to customize training content that is already available to you in the CyberPilot App. For example, you can build your own course, using one of our standard courses as a foundation, and then add organization or role-specific details. Here’s how to do that.

 

Recommended training plans

Here are some key groups that might need training in particular areas and our recommended relevant courses.  

recommended training plans

 

This is a suggestion, and you can of course tailor the specific courses you put in your training plans to your organization’s particular concerns.  

Note: If a user is subject to multiple training plans, they will receive the training from both.  

This can, e.g., happen if you have a training plan for all users and another for IT staff. Members of IT staff will then get enrolled to the courses in both.  

This can be a good thing. For example you can use the group-specific training as a supplement to a training plan which always sends out the newly released CyberPilot courses.