Cyber Security Training & Software for Companies | MetaCompliance


Discover our suite of personalised Security Awareness Training solutions, designed to empower and educate your team against modern cyber threats. From policy management to phishing simulations, our platform equips your workforce with the knowledge and skills needed to safeguard your organisation.

Cyber Security eLearning

Cyber Security eLearning to Explore our Award-Winning eLearning Library, Tailored for Every Department

Security Awareness Automation

Schedule Your Annual Awareness Campaign In A Few Clicks

Phishing Simulation

Stop Phishing Attacks In Their Tracks With Award-Winning Phishing Software

Policy Management

Centralise Your Policies In One Place And Effortlessly Manage Policy Lifecycles

Privacy Management

Control, Monitor, and Manage Compliance with Ease

Incident Management

Take Control Of Internal Incidents And Remediate What Matters



Explore the versatility of our solutions across diverse industries. From the dynamic tech sector to healthcare, delve into how our solutions are making waves across multiple sectors. 

Financial Services

Creating A First Line Of Defence For Financial Service Organisations


A Go-To Security Awareness Solution For Governments


A Security Awareness Training Solution For Large Enterprises

Remote Workers

Embed A Culture Of Security Awareness - Even At Home

Education Sector

Engaging Security Awareness Training For The Education Sector

Healthcare Workers

See Our Tailored Security Awareness For Healthcare Workers

Tech Industry

Transforming Security Awareness Training In The Tech Industry

NIS2 Compliance

Support Your Nis2 Compliance Requirements With Cyber Security Awareness Initiatives



From posters and policies to ultimate guides and case studies, our free awareness assets can be used to help improve cyber security awareness within your organisation.

Cyber Security Awareness For Dummies

An Indispensable Resource For Creating A Culture Of Cyber Awareness

Dummies Guide To Cyber Security Elearning

The Ultimate Guide To Implementing Effective Cyber Security Elearning

Ultimate Guide To Phishing

Educate Employees About How To Detect And Prevent Phishing Attacks

Free Awareness Posters

Download These Complimentary Posters To Enhance Employee Vigilance

Anti Phishing Policy

Create A Security-Conscious Culture And Promote Awareness Of Cyber Security Threats

Case Studies

Hear How We’re Helping Our Customers Drive Positive Behaviour In Their Organisations

A-Z Cyber Security Terminology

A Glossary Of Must-Know Cyber Security Terms

Cyber Security Behavioural Maturity Model

Audit Your Awareness Training And Benchmark Your Organisation Against Best Practice

Free Stuff

Download Our Free Awareness Assets To Improve Cyber Security Awareness In Your Organisation

MetaCompliance | Cyber Security Training & Software for Employees


With 18+ years of experience in the Cyber Security and Compliance market, MetaCompliance provides an innovative solution for staff information security awareness and incident management automation. The MetaCompliance platform was created to meet customer needs for a single, comprehensive solution to manage the people risks surrounding Cyber Security, Data Protection and Compliance.

Why Choose Us

Learn Why Metacompliance Is The Trusted Partner For Security Awareness Training

Employee Engagement Specialists

We Make It Easier To Engage Employees And Create a Culture of Cyber Awareness

Security Awareness Automation

Easily Automate Security Awareness Training, Phishing And Policies In Minutes


Meet the MetaCompliance Leadership Team


Stay informed about cyber awareness training topics and mitigate risk in your organisation.

What is the Digital Operational Resilience Act (DORA)?


about the author

Share this post

DORA affects the EU financial services sector, and this legislation is about to make waves in the financial industry. Here is a look at some of the DORA obligations that financial institutions must adhere to.

The financial services sector has long been a technology innovator and first mover. Advances in banking and finance have meant that digital transformation in the industry has surged ahead. But new technology and new ways of working entice cybercriminals. The result is that attacks against the financial sector are soaring.

In 2021, banking experienced a ​​1,318% increase in ransomware attacks, and 65% of large financial organisations experienced a cyber attack in 2020. The severe nature of increasingly complex and damaging cyber attacks within the financial sector has led to new legislation entering the financial services regulation lexicon, and its name is DORA (Digital Operational Resilience Act).

DORA Basics

The first draft of DORA was published on 24 September 2020, and on 10 September 2022, the European Parliament approved. The legislation will play a central part in the ‘digital finance package,’ used to enable digital finance innovation and competition while mitigating the risks arising from the industry’s digitisation.

As such, Article 114 of the Treaty on the Functioning of the European Union (TFEU) is used as the legal basis for DORA; the legislation focuses on harmonising cyber security guidelines across the sector. 

The EU likes to use regulatory means to consolidate and harmonise best practices; the GDPR is an example of a harmonised data privacy regulation; DORA is the EU’s attempt at consolidating and upgrading ICT risk management across the financial sector, with DORA impacting EU financial services firms and their (critical) ICT providers.

DORA will require financial sector firms to implement measures that protect them against ICT-related risks: as such, DORA extends requirements to include third parties, such as cloud providers.

What Obligations Does DORA Require from the Financial Sector?

The goal is to create a resilient environment across the financial services ecosystem. The underlying framework of DORA is built upon a set of rules that are designed to help financial institutions develop robust risk management processes. Some of the core requirements and coverage of DORA include the following:

Scope of DORA

Almost all types of financial entities will come under DORA. Covered entities include credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, alternative investment funds, insurance managers, etc. The exception is auditors, who are currently not subject to DORA rules, but this is likely to change in future versions of the Act. For a complete list of covered entities, see Article 2 of DORA.

ICT providers who service covered entities under DORA must also adhere to the Act. ICT providers are viewed as pivotal to the financial sector and, as such, are subject to stringent rules under DORA. Critical non-EU-based ICT service providers to financial entities in the EU must establish a subsidiary within the EU.

ICT Providers and DORA

Third-party risk management is a key part of DORA. The focus on ICT providers is a reaction to the increase in supply chain attacks such as the SolarWinds Orion software update. The European Union Cybersecurity Agency (ENISA) reported increased sophistication and volume of supply chain attacks, with attackers targeting the supply chain to steal data and financial assets. DORA coordinates requirements using existing frameworks such as the European Banking Authority (EBA) Outsourcing Guidelines. (See also DORA Article 14)

Under DORA, financial firms can define some ICT providers as ‘critical.’ As such, a critical ICT provider that services a DORA-covered entity will come under stringent rules enforced via direct engagement with the EU FS (financial services) authorities.

Key Cyber Security Measures

The core values of DORA legislation are to maintain resilient ICT systems. To achieve this, the following guidelines have been set out:

Risk Management and Resiliency

At the core of DORA are risk management guidelines to help the financial services sector build more resilient infrastructures. The resulting risk management programs and assessments are used as a basis for resiliency testing. In addition, the legislation expects that business impact analyses based on “severe business disruption” scenarios must be carried out.

Resiliency and vulnerability testing are expected to be carried out by independent experts and include regular threat-led penetration testing. Importantly, all critical ICT systems should be tested annually.

Protection Measures (see also Article 8)

Examples of protection measures required include:

  • Use appropriate and comprehensive policies for patches and updates.
  • Implement policies and protocols for strong authentication mechanisms
  • Follow a risk-based approach to establish a sound network and infrastructure management
  • Implement policies that limit the physical and virtual access to ICT system resources and data
  • Prevent information leakage

ICT-Incident Management

Article 15 contains details about requirements to manage and control security incidents, including procedures to “detect, manage and notify ICT-related incidents and shall put in place early warning indicators as alerts.”

Reporting Cyber Security Incidents

Covered entities must provide a means to monitor, describe, and report any significant ICT-based incidents to relevant authorities. Reporting rules are stringent for critical ICT providers. They include making an initial notification no later than the end of the business day, or if the significant incident occurred later than 2 hours before the end of the business day, no later than 4 hours from the beginning of the next business day.

From there, an intermediate report is required no later than one week after the initial notification; this is followed by a final report when the root cause analysis has been completed no later than one month after sending the initial report.

Management and Security Accountability

DORA places accountability for ICT risks and cyber threats at the door of the management group of financial services. Providing Security Awareness Training will help ensure the C-level, and the entire company are security-focused.

DORA also covers essential cyber security management and response aspects such as information sharing (see Article 40).

What Next for DORA?

The regulation has a 24-month implementation period for financial entities and their critical third-party service providers from legislation go-live. Therefore, covered entities are advised to use the 24 months between the legislation going live date and implementation of compliant measures to do a gap analysis: measures such as threat-led penetration testing and stringent reporting rules could otherwise fall through that gap.

Security Awareness Training for Third-Party Vendor

Other Articles on Cyber Security Awareness Training You Might Find Interesting