DORA tells you to monitor whether your resilience measures work. Show it for your people.
Awareness and resilience training are compulsory for every employee and board member — and you're expected to monitor how effective your strategy actually is. That means measuring behaviour, not attendance.
Mandatory training is the floor, not the goal
DORA makes ICT security awareness and digital operational resilience training compulsory for all staff and senior management. But the regulation also tells you to monitor the effectiveness of your resilience strategy over time and to map how your risk is evolving. Running the training satisfies one clause. Showing it's working satisfies the intent.
Human behaviour is operational resilience
The people using your systems every day are part of your operational resilience, and their behaviour is measurable. Praxis Navigator builds rolling behavioural baselines from your Microsoft 365 data, so you can see whether resilience is improving across the workforce — and evidence it when supervisors ask. Not a point-in-time snapshot. A trend you can defend.
Board-level, by design
DORA expects your management body to understand and actively steer ICT risk. Stakeholder-ready reporting gives leadership a clear, current read on human-layer risk — the evidence that oversight is real, not nominal.
The plan
Connect — Connect Microsoft 365 in 15 minutes.
See — See workforce security behaviour, with months of history immediately.
Prove — Monitor and evidence the effectiveness of your resilience measures.
Peer-reviewed field research
29–55%
of the variation in phishing susceptibility is attributable to organizational-level factors, not individual ones.
Measured across 83,269 employees in 510 organizations, using their real responses to phishing campaigns.
Petrič, G., & Roer, K. (2022). The impact of formal and informal organizational norms on susceptibility to phishing. Telematics and Informatics, 67, 101766. Licensed under CC BY 4.0.
Industry forecast
Gartner expects that by 2030, the major cybersecurity control frameworks will judge human risk by measurable behaviour change rather than training completion.
Gartner, cybersecurity trend guidance.
Peer-reviewed field research
When employees believed their colleagues were already handling security well, they became more susceptible to phishing, not less — a boomerang effect. A clear, salient security policy could likewise increase casual link-clicking.
From the same field study of 83,269 employees across 510 organizations.
Petrič, G., & Roer, K. (2022). The impact of formal and informal organizational norms on susceptibility to phishing. Telematics and Informatics, 67, 101766. Licensed under CC BY 4.0.
DORA requires financial entities to monitor the effectiveness of their digital operational resilience strategy, and makes security awareness and resilience training compulsory for every employee and board member. Applies to EU financial entities.