The Digital Operational Resilience Act (DORA) has been in force since 17 January 2025 for all financial institutions in the EU — banks, insurers, asset managers, payment service providers, and ICT suppliers to the financial sector. DORA runs parallel to the Dutch Cybersecurity Act (Cbw) but is lex specialis: where Cbw and DORA overlap for financial entities, DORA applies. What does DORA say about awareness, how does it relate to Cbw, and what must you address practically?
What is DORA and to whom does it apply?
DORA (Regulation 2022/2554) is an EU regulation — not a directive — meaning it applies directly in all EU member states without national transposition. Since 17 January 2025 DORA is binding on:
- Banks and credit institutions
- Insurers and reinsurers
- Asset managers and investment firms
- Payment service providers, e-money institutions, fintech
- Central counterparties, trading venues, transaction registers
- Crowdfunding providers and crypto-asset service providers
- Critical ICT third-party providers (special designation regime)
DORA and the Cbw — which applies?
In the Netherlands the financial sector faces layered supervision: the Cybersecurity Act for general cyber, DORA for sector-specific ICT risk, and existing prudential frameworks for financial stability.
General rule: DORA prevails where DORA and Cbw overlap. DORA is lex specialis. For topics only in Cbw (not in DORA), Cbw applies. For topics in both (e.g. incident reporting), follow DORA.
Practical implication: a financial institution does not need to run two parallel programmes. One DORA programme covers most needs, supplemented for Cbw-specific items DORA does not regulate (e.g. board training under Cbw art. 24).
DORA article 13 — ICT awareness and training
DORA article 13 requires financial entities to set up "ICT awareness programmes and digital operational resilience training" as a mandatory part of ICT risk management:
- All staff must receive regular base training — not only IT personnel
- Staff in critical functions get additional specialised training
- Training must be tailored to role and risk
- The board completes periodic training on ICT risk and digital operational resilience
- Effectiveness must be measured and evaluated — not just attendance, but behaviour change
CEO fraud and BEC — the #1 threat in finance
Financial institutions are disproportionately hit by Business Email Compromise (BEC) and CEO fraud. According to FBI data, finance accounts annually for 15-20% of all reported BEC incidents globally, while the sector represents only ~5% of the economy.
The risk profile differs from generic phishing. Attackers target finance and treasury functions with scenarios such as: an urgent order from the "CFO" out of hours, a supplier email with a changed account number, a "compliance question" about a specific transaction.
Effective DORA awareness in finance trains specifically on these scenarios, with verification protocols as concrete reflexes. Generic phishing content falls short here.
DORA incident reporting versus Cbw
DORA article 19 introduces its own incident reporting regime. Significant ICT incidents must be reported to the competent authority (NL: DNB) per DORA timelines. Cbw article 25 also has reporting obligations (24/72 hours, final report within one month) for general cybersecurity incidents.
For financial institutions: a significant ICT incident under both DORA and Cbw → use DORA reporting (DORA is lex specialis). For Cbw-only incidents → use Cbw reporting.
Large financial institutions typically operate one integrated incident response process satisfying both, with automatic triage to determine which framework(s) apply.
Supervision and sanctions
In the Netherlands DORA is enforced by De Nederlandsche Bank (DNB) and the Autoriteit Financiële Markten (AFM), depending on institution type. The ECB (via SSM) is involved for systemically important banks.
DORA fines can reach 1% of global daily turnover per day of ongoing breach — uniquely high among compliance regimes. Regulators can also issue directives, withdraw licences, and remove ICT suppliers from the critical-providers list.
In the first 12-18 months after 17 January 2025 regulators take a graduated approach: focus on demonstrable progress, not maximum fines. Exception: late incident reports and critical ICT suppliers not meeting contractual obligations are enforced immediately.
See how 2LRN4 turns this topic into a workable Cbw programme with training, phishing simulation and board reporting.
View the platform pageRelated in the knowledge base
Sources
FAQ
Do fintech and crypto fall under DORA?
Yes. DORA explicitly covers PSPs, e-money institutions, crowdfunding providers and crypto-asset service providers (CASPs under MiCA). Small fintechs below thresholds may have simplified regimes but are rarely fully excluded.
How does DORA relate to Solvency II?
DORA is specific to ICT risk; Solvency II to financial prudence. ICT risk under DORA is its own category alongside credit, market and operational risk.
What are "critical ICT third-party providers" under DORA?
ICT suppliers designated by the European supervisory authorities (ESAs) — typically large cloud providers, payment processors, and specific fintech platforms used by many financial institutions. CTPPs fall under direct EU supervision.
Do insurers follow the same regime as banks?
Substantially yes, with sector-specific emphases. Insurers have less direct real-time ICT risk but more exposure to claims data and actuarial models.
What is DORA Threat-Led Penetration Testing?
DORA articles 26-27 require large financial institutions to conduct periodic (every 3 years) Threat-Led Penetration Tests — supervised red-team exercises. Smaller institutions face a lighter regime of vulnerability assessments.
How do I start as a small financial institution?
Three priorities: (1) gap analysis on DORA art. 5-19; (2) revise ICT supplier contracts for DORA clauses; (3) build a training programme covering both DORA art. 13 and Cbw art. 21. Sector collectives often offer shared DORA implementation programmes.