DORA no longer treats humans as an unavoidable security risk, but mandates structured training and security culture as mandatory components of cyber resilience.