The Digital Operational Resilience Act (DORA) became enforceable on January 17, 2025. Financial institutions must now demonstrate that their staff is trained on ICT risk management, incident response, and third-party oversight — with verifiable proof.

This checklist covers the 12 evidence items your auditor will look for. Use it to gap-check your training program before your next regulatory review.

The 12 Evidence Items

1. Documented training plan aligned with ICT risk

Your organisation must have a formal training plan that maps directly to your ICT risk assessment. The plan should name target populations, training objectives, and delivery timelines.

What the auditor checks: A signed, dated document linking each identified risk to a specific training action.

2. Proof of completion per employee

Every employee in scope must have a timestamped completion record. “We sent an email” is not proof. The auditor needs per-person evidence that training was accessed and finished.

What the auditor checks: Completion logs with dates, employee IDs, and module identifiers.

3. Assessment of understanding (not just attendance)

DORA Article 13(6) requires that staff demonstrate understanding, not merely show up. A quiz, scenario-based assessment, or validated exercise is mandatory.

What the auditor checks: Individual scores or pass/fail records linked to assessed learning objectives.

4. Frequency and recurrence records

Training is not a one-off event. Regulators expect periodic refreshers — at minimum annually, and whenever regulations or internal procedures change materially.

What the auditor checks: A schedule showing recurrence intervals and evidence of repeat completions.

5. Coverage of all DORA-relevant topics

The regulation covers multiple domains: ICT governance, incident classification, business continuity testing, third-party risk. Your training must cover all applicable topics, not just cybersecurity basics.

What the auditor checks: A mapping of training modules to each DORA chapter and article relevant to your entity type.

6. Role-based differentiation

Board members, senior management, and operational staff have different obligations under DORA. Your training must reflect this hierarchy with tailored content per audience.

What the auditor checks: Distinct modules or learning paths by role, with evidence of appropriate assignment.

7. Third-party and outsourcing awareness

DORA requires staff to understand ICT third-party concentration risks and the organisation’s exit strategies. This is frequently overlooked in generic cybersecurity training.

What the auditor checks: Specific training content on vendor management, subcontracting chains, and exit planning.

8. Incident response drill records

Beyond theoretical training, DORA expects regular operational testing including tabletop exercises and crisis simulations. Proof of participation counts as training evidence.

What the auditor checks: Drill reports with participant lists, scenarios tested, and lessons learned documented.

9. Version control and content currency

When a regulation changes (e.g., DORA RTS/ITS updates), your modules must be updated promptly. The auditor will check for stale content that references outdated requirements.

What the auditor checks: Module version history showing update dates correlated with regulatory change timelines.

10. Accessibility and language compliance

Training must be available in a language the employee understands. For multinational operations, localised content is not optional — it is a regulatory expectation.

What the auditor checks: Available language versions, and that non-native speakers received content in their working language.

11. Audit trail integrity

Records must be tamper-proof and exportable. Excel spreadsheets with manual entries will raise questions. Auditors expect system-generated logs from an LMS or training platform.

What the auditor checks: Automated logs with timestamps, preferably SCORM-based completion data from a certified LMS.

12. Board and management body training evidence

DORA Article 5(4) explicitly requires that the management body maintains sufficient knowledge of ICT risks. Separate evidence must exist for C-level and board training.

What the auditor checks: Dedicated training records for named directors and senior managers, distinct from general staff.

How to Use This Checklist

  1. Audit your current state — For each item, mark whether you have full evidence, partial evidence, or a gap.
  2. Prioritise gaps — Items 1-3 and 12 are typically the first things auditors ask for. Start there.
  3. Automate proof generation — Manual tracking does not scale. Use a platform that generates SCORM completion data and timestamped assessment records automatically.
  4. Schedule quarterly reviews — Regulations evolve. Your evidence portfolio must stay current.

Accelerate Compliance With Bubble Teach

Bubble Teach was built for exactly this use case. Upload your ICT risk procedures, compliance directives, or internal policies — and generate audit-ready training modules in under 10 minutes.

Every module includes:

  • Timestamped completion tracking (items 2, 4, 11)
  • Built-in assessments with pass/fail scoring (item 3)
  • SCORM export for your existing LMS (item 11)
  • Automatic versioning when source documents change (item 9)
  • Role-based module targeting (item 6)
  • Multilingual generation from a single source (item 10)

Book a demo to see how Bubble Teach addresses every item on this checklist — or start your free trial to test it with your own documents.