DORA Article 13 Section 6 imposes training-and-awareness obligations on regulated financial entities. The text of the article is relatively brief; the interpretation by home-state supervisors has emerged over the past twelve months in the first cohort of inspections.
Our customer base now includes a handful of regulated entities that have been through DORA-aligned inspections. The patterns of supervisor questioning have been consistent enough across home-state supervisors to be worth documenting.
Three categories of evidence are consistently requested.
First, evidence of programme coverage. Supervisors want to see that the awareness programme covers the entire workforce, with explicit segmentation for the populations where ICT-related risk is materially elevated — treasury operations, payments operations, IT operations, third-party-management functions. Generic broadcast training to the whole workforce, without segmentation, has been flagged as insufficient evidence in at least two inspections we have visibility into.
Second, evidence of programme effectiveness. Completion metrics are not sufficient; supervisors want to see assessment-outcome data, with traceability to remedial action where assessments are failed. The level of detail expected is similar to what SOC 2 auditors are now asking for (see our 2026 update for the SOC 2 perspective).
Third, evidence of management awareness. The article specifically references the training expectations on management bodies; supervisors are asking for the training records of senior management in addition to the workforce-wide records. Several inspected entities have been caught short on this requirement, having assumed the management awareness obligation was satisfied by board-level briefings rather than formal training.
Operational implications. Regulated entities should validate that their awareness programme covers the entire workforce with explicit segmentation for elevated-risk functions, that the programme produces assessment-outcome data alongside completion data, and that the management training records are documented at the same standard as the workforce records.
Our DORA reporting covers all three by default. Customers preparing for inspection commonly start the engagement with our customer-success team six to eight weeks before the inspection window; the lead time is sufficient to surface and remediate any gaps before the supervisor's evidence request arrives.