Article 13(6) of Regulation (EU) 2022/2554 requires financial entities to develop ICT security awareness programs and digital operational resilience training as compulsory components of their staff training schemes. As emphasized in several Recitals of the Regulation— particularly Recital 45—awareness of digital operational resilience risks constitutes a critical element of an effective ICT risk management framework. For this reason, Article 5(2), point (g), explicitly requires the management body to allocate and periodically review an appropriate budget for, inter alia, ICT security awareness programs, digital operational resilience training, and ICT skills development for all staff. Similarly, the requirement to establish “ICT security awareness programs and digital operational resilience training for staff and management” also applies to financial entities subject to the simplified ICT risk management framework. The Regulation places significant emphasis (see Recital 45) on the responsibility of the management body to ensure that all staff of financial entities maintain a high level of awareness and a firm commitment to observing strict cyber hygiene. In line with the principle of proportionality, the importance of this requirement must be reflected in each financial entity’s training and awareness program, including in the determination of its frequency and its periodic updates. As per Article 13(6), such trainings have to be commensurate with the remit of the employees/senior management staff, what also entails a relevant frequence of training in relation to their profiles/functions. Furthermore, when updating and reviewing ICT security awareness programs and digital operational resilience training, financial entities should take into account lessons learned from their analysis of ICT-related incidents as well as relevant cyber threat intelligence.