Bottom line: DORA no longer treats humans as an unavoidable security risk, but mandates structured training and security culture as mandatory components of cyber resilience.
The EU regulation Digital Operational Resilience Act (DORA) will require financial institutions to systematically address human error through training and security culture – because employee errors rank among the most common causes of security incidents.
According to a Bitkom study on economic security in 2025, 59 percent of German companies view cyberattacks as an existential threat. While many organizations have already invested in technical protective measures, practice shows: security incidents are predominantly caused by human error – from careless clicks on phishing links to negligent disclosure of access rights.
The European Union’s Digital Operational Resilience Act (DORA) is primarily aimed at banks, insurers and financial service providers and establishes a uniform legal framework for digital resilience. Unlike earlier regulations, DORA does not treat the human factor as an inevitable residual risk, but explicitly requires organizational measures: employee qualification and awareness become mandatory components of operational risk management. Regulated entities must henceforth demonstrate that they effectively protect security technologies and systematically manage risks – including human error sources.
A 2025 survey of 500 companies across various sectors shows: one in seven companies fell victim to a serious cyberattack in the preceding twelve months. Yet the majority of them treat cybersecurity as secondary – particularly the aspect of human error susceptibility. However, security reports demonstrate that in addition to technical novices, even trained professionals make poor decisions under pressure and thereby circumvent security policies.
DORA therefore requires more from regulated financial institutions than merely the existence of security policies. They must establish a sustainable security culture in which intensive training is part of systematic risk management. This elevates employee training for the first time to the level of strategic compliance requirements.
Source: www.it-daily.net · Published June 19, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.