⚠️ Why This Training Is Legally Mandatory — Not Optional

DORA (Art. 5), NIS2 (Art. 20), and the EU AI Act explicitly require that the management body receives cybersecurity training. This is not a recommendation. It is a legal obligation.

Failure to document board training is itself a regulatory violation — independently of whether a breach has occurred.

Completion of this course generates a timestamped, auditable certificate and a training record suitable for submission to regulators, auditors, insurers, and courts.

What 'Training' Means in Practice

  • Training must be documented — the organisation must be able to show, in writing, that each board member and C-suite executive completed a recognised cybersecurity training programme.
  • Training must be current — regulators expect training to be refreshed. Annual completion is the minimum expected standard.
  • Training must be adequate — a 30-minute awareness video does not meet the standard for board members. A substantive programme covering governance obligations, threat landscape, and regulatory requirements — such as this one — does.
  • Training records are evidence — in an enforcement investigation, the regulator will ask for training records as part of their assessment of whether the management body was fulfilling its obligations.
⚖️ Legal Alert
Under DORA Article 5(4), the management body must acquire 'sufficient knowledge and skills to understand and assess ICT risk and its impact on the institution's operations.' Under NIS2 Article 20(2), members of the management body are required to follow training on cybersecurity. Non-compliance is an enforcement matter.
Last modified: Tuesday, 24 March 2026, 2:37 PM