DORA Compliance: How to Prove Your Team Read the ICT Policy

DORA has been enforceable since January 17, 2025. Your ICT security policies are written. Your training programs exist on paper. But when the supervisor walks in and asks "prove your staff completed the training" - what do you hand them?

If the answer is a spreadsheet of checkboxes, you have a problem. European supervisory authorities have shifted to what the industry calls "interventionist supervision" - active enforcement with real consequences. The grace period is over. The question is no longer whether your financial institution has ICT policies, but whether you can demonstrate they reached the people who matter.

What DORA Article 13 Actually Requires

Article 13(6) of the Digital Operational Resilience Act is specific: financial entities must "develop ICT security awareness programmes and digital operational resilience training as compulsory modules in their staff training schemes." This applies to all employees and senior management, with complexity "commensurate to the remit of their functions."

Three elements make this requirement harder than it looks:

Compulsory, not optional. DORA does not say "offer training." It says compulsory modules integrated into staff training schemes. An optional webinar link in the corporate newsletter does not satisfy this requirement.

All employees and senior management. Not just the IT department. The relationship manager, the branch teller, the risk analyst, the C-suite - everyone who touches ICT systems, which in a modern financial institution means everyone. Article 5(4) adds that management body members must "actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk."

Commensurate complexity. A one-size-fits-all policy PDF does not meet the standard. Different roles require different depth. The CISO needs detailed incident response procedures. The front-office staff need data handling basics. The board needs enough to govern ICT risk effectively. Auditors check whether you made this distinction.

The Penalty Context

DORA enforcement is not theoretical. National competent authorities across the EU can impose penalties that scale with the severity of non-compliance:

• Up to 2% of total annual worldwide turnover for the most serious violations
• Up to 1% of average daily worldwide turnover as recurring daily penalties to force remediation
• Fixed fines up to EUR 5 million depending on the violation category
• Personal fines up to EUR 1 million for senior management

Non-compliance can also trigger public disclosure of violations - reputational damage that in financial services can be more costly than the fine itself.

Training documentation failures sit at the intersection of multiple DORA requirements. If an ICT incident occurs and the investigation reveals that the affected employee never read the incident response policy, you face both the incident penalties and the training compliance gap simultaneously.

Why Checkboxes Fail DORA Audits

Most financial institutions handle ICT policy distribution the same way: upload the policy to the intranet or HR system, send an email, collect a digital signature or checkbox confirmation. The compliance team records "acknowledged" next to each name.

This approach has three problems under DORA:

Supervisors ask for independent evidence. Auditors want proof that "the persons responsible for controls have the necessary knowledge and experience" - not just that they clicked a button. A checkbox proves the employee saw a prompt. It does not prove they read the 40-page ICT risk management policy attached to it.

DORA requires ongoing learning, not one-time acknowledgement. Article 13 falls under the heading "Learning and evolving." The regulation envisions continuous training that adapts after incidents - not an annual checkbox ritual. Knowledge should be updated after an incident, because cybersecurity is a dynamic field requiring continuous education.

Audit trails must show what happened, not just that something happened. DORA expects audit logs documenting who drafted, who reviewed, and when items were submitted. Extending this logic to training: the audit trail should show not just "policy distributed" but "policy read, by whom, when, for how long."

A checkbox satisfies the letter of "distribute training." It does not satisfy the spirit of "develop ICT security awareness" that DORA demands.

What DORA Training Evidence Should Look Like

The gap between what most institutions record and what supervisors increasingly expect is where compliance risk lives. Effective DORA training evidence captures the journey from distribution to engagement:

Per-employee completion tracking. Not "342 out of 400 acknowledged" but "342 completed the full document, 38 viewed only the first three pages, 20 have not opened it." This is the difference between a compliance checkbox and an actionable compliance dashboard.

Time-based engagement data. A 25-page ICT risk management framework "read" in 12 seconds is not reading. Time-per-page analytics distinguish genuine engagement from click-through behavior. When the supervisor asks whether staff understood the policy, you can show average reading times that align with document complexity.

Role-appropriate distribution records. DORA requires complexity commensurate with function. Your evidence should show that the CISO received the detailed incident classification procedure while front-office staff received the appropriate data handling summary - not that everyone got the same PDF.

Version-aware audit trail. When the ICT risk management policy is updated after an incident (as DORA envisions), the audit trail shows which employees completed the new version versus the old one. Post-incident re-acknowledgement is documented with the same depth as initial distribution.

Anti-gaming protections. Tab visibility detection stops the reading timer when an employee switches to email or minimizes the browser. Reading speed analysis flags impossible patterns - a 30-page policy "completed" in 45 seconds. These protections ensure the data you show auditors reflects genuine engagement.

Who Inside the Institution Needs This

DORA training requirements touch every level of a financial entity:

Role	ICT Policy Documents	Evidence Standard
Board / Management body	ICT risk governance framework, business continuity plans	Must demonstrate "sufficient knowledge to understand and assess ICT risk" (Article 5(4))
CISO / ICT risk team	Full ICT risk management framework, incident response, third-party risk policies	Detailed engagement evidence - these are the subject matter experts
Compliance officers	DORA regulatory mapping, reporting procedures	Evidence of understanding reporting obligations and timelines
Operations / front office	Data handling, access control, acceptable use policies	Role-appropriate training completion at proportionate depth
Third-party providers	Relevant security requirements per Article 30(2)(i)	Documented acknowledgement of contractual ICT security obligations

The common requirement across all roles: supervisors want independent evidence that process owners are qualified. Training documentation is the first thing they check.

How This Works in Practice

The workflow does not require replacing your existing systems. Most financial institutions already have policy management tools, learning management systems, or HR platforms. What they lack is the evidence layer between "distributed" and "read."

1. Upload the ICT policy document to a document sharing platform with built-in reading analytics
2. Generate tracked links - one per role group, or one per employee for audit granularity
3. Distribute through existing channels (email, intranet, HR system, compliance portal)
4. Employees open the link and read in a secure browser-based viewer - no app download, no additional login
5. The analytics engine records every session: pages viewed, time per page, completion percentage, return visits
6. The compliance team exports a report showing per-employee engagement data, role-based distribution confirmation, and version history

The employee experience is simple: click a link, read a document. The compliance team gets evidence that stands up to supervisory examination.

Beyond DORA: The Regulatory Pattern

DORA is not an isolated requirement. Financial institutions operate under overlapping compliance frameworks that all demand training documentation:

• MiFID II requires firms to ensure staff competence and maintain records of qualifications and training
• GDPR requires documented evidence that employees handling personal data understand data protection obligations
• AML/KYC directives require ongoing training on anti-money laundering procedures with documented completion
• PSD2 requires payment service providers to train staff on fraud prevention and security protocols
• Solvency II (insurance) requires risk management knowledge across the organization

Each framework has its own supervisor, its own examination schedule, and its own expectations for documentation quality. An institution that solves the evidence problem for DORA simultaneously strengthens its position across every overlapping framework.

The regulator's question is always the same: "Show me that your people know what they need to know." The quality of your answer determines whether the examination ends with a clean report or a remediation order.

The Evidence Gap Is a Compliance Risk

Financial institutions have spent significant resources writing ICT policies, building risk frameworks, and designing training curricula that satisfy DORA's substantive requirements. The gap is not in the content - it is in the proof.

When a supervisor asks for evidence that 2,000 employees completed the updated ICT risk management training after a significant incident, the answer cannot be "we sent an email and tracked who clicked acknowledge." That evidence model was designed for a regulatory era that expected good intentions. DORA expects demonstrated outcomes.

Page-level reading analytics, time-based engagement tracking, and role-appropriate distribution records transform training documentation from a compliance checkbox into supervisory-grade evidence. The institutions that adopt this standard now will face examinations with confidence. The ones that don't will discover the gap when it matters most.