DORA tells you to monitor whether your resilience measures work. Show it for your people.

Awareness and resilience training are compulsory for every employee and board member — and you're expected to monitor how effective your strategy actually is. That means measuring behaviour, not attendance.

Mandatory training is the floor, not the goal

DORA makes ICT security awareness and digital operational resilience training compulsory for all staff and senior management. But the regulation also tells you to monitor the effectiveness of your resilience strategy over time and to map how your risk is evolving. Running the training satisfies one clause. Showing it's working satisfies the intent.

Human behaviour is operational resilience

The people using your systems every day are part of your operational resilience, and their behaviour is measurable. Praxis Navigator builds rolling behavioural baselines from your Microsoft 365 data, so you can see whether resilience is improving across the workforce — and evidence it when supervisors ask. Not a point-in-time snapshot. A trend you can defend.

Board-level, by design

DORA expects your management body to understand and actively steer ICT risk. Stakeholder-ready reporting gives leadership a clear, current read on human-layer risk — the evidence that oversight is real, not nominal.

The plan

1

Connect — Connect Microsoft 365 in 15 minutes.

2

See — See workforce security behaviour, with months of history immediately.

3

Prove — Monitor and evidence the effectiveness of your resilience measures.

Peer-reviewed field research

29–55%

of the variation in phishing susceptibility is attributable to organizational-level factors, not individual ones.

Measured across 83,269 employees in 510 organizations, using their real responses to phishing campaigns.

Petrič, G., & Roer, K. (2022). The impact of formal and informal organizational norms on susceptibility to phishing. Telematics and Informatics, 67, 101766. Licensed under CC BY 4.0.

Industry forecast

Gartner expects that by 2030, the major cybersecurity control frameworks will judge human risk by measurable behaviour change rather than training completion.

Gartner, cybersecurity trend guidance.

Peer-reviewed field research

When employees believed their colleagues were already handling security well, they became more susceptible to phishing, not less — a boomerang effect. A clear, salient security policy could likewise increase casual link-clicking.

From the same field study of 83,269 employees across 510 organizations.

Petrič, G., & Roer, K. (2022). The impact of formal and informal organizational norms on susceptibility to phishing. Telematics and Informatics, 67, 101766. Licensed under CC BY 4.0.

DORA requires financial entities to monitor the effectiveness of their digital operational resilience strategy, and makes security awareness and resilience training compulsory for every employee and board member. Applies to EU financial entities.

Questions security leaders ask

Does DORA require measuring training effectiveness?
DORA makes security awareness and resilience training compulsory for all employees and senior management, and requires financial entities to monitor how effective their resilience strategy is over time. Monitoring effectiveness means measuring behaviour and mapping how risk evolves — not counting who attended.
How do you prove security training effectiveness for compliance?
You measure the behaviour the training is meant to change, establish a baseline, and track it over time. Before-and-after behavioural evidence — more people using MFA, fewer risky actions, faster improvement after you intervene — is what demonstrates effectiveness. Praxis Navigator produces it from your own Microsoft 365 data.
What's the difference between activity metrics and behavioural evidence?
Activity metrics count what happened — courses completed, links clicked, emails sent. Behavioural evidence shows what changed — whether people actually handle security more safely than before. Regulations increasingly ask for the second. Only the second proves a measure is effective.