By Raghu Nandakumara
After two years of prep time for the finance industry, the Digital Operational Resilience Act (DORA) has officially come into force. But while the deadline has passed, finance firms that haven’t quite gotten everything lined up shouldn’t panic yet.
DORA was created around the principle of reasonable progress, not the expectation that every operational challenge would be 100% solved by January 17th. The goal was always to get organisations to genuinely understand their security and operational priorities and make meaningful progress towards addressing them.
By the same token, companies who feel they have ticked off all the items on their DORA compliance list should know this is not a one-and-done exercise. The January 2025 deadline marked a critical line in the sand, but true resilience doesn’t stop at compliance. It requires a clear understanding of critical systems, active mitigation of real-world threats, and a commitment to continuous improvement.
Why operational resilience is the cornerstone of DORA
In many ways, DORA is a new breed of regulation. Unlike compliance frameworks of the past, which often prioritised form over function, DORA focuses squarely on outcomes. The regulation is designed to help institutions continue critical operations in the face of cyberattacks, system failures, or other disruptions.
Operational resilience is the foundation of DORA’s approach to safeguarding the financial sector. Achieving this requires financial institutions and the ICT service providers that supply them to understand what really underpins their business.
Organisations must be able to identify the key systems and processes essential to their operations. Without pinpointing what truly matters, institutions risk spreading their efforts too thin or protecting the wrong assets.
Equally important is understanding the technology dependencies that underpin these systems. How do critical applications interact? What interdependencies exist between internal systems and third-party services? By mapping these connections, organisations can create a clear picture of their operational ecosystem and highlight potential vulnerabilities.
A threat-informed approach to cybersecurity
DORA challenges financial institutions to think not just about how they comply but how they operate. Part of this is a move beyond static compliance towards the adoption of a threat-informed method. This shift is about tackling the risks that matter most, rather than following a one-size-fits-all checklist. It starts with understanding the real-world threats to critical systems and processes.
For instance, many organisations have turned to exercises like red teaming or tabletop simulations to uncover vulnerabilities. These methods provide a practical lens into how attackers could exploit weaknesses, offering more depth than traditional risk assessments. Similarly, past cyber incidents can serve as valuable learning opportunities, revealing gaps in defences that might otherwise go unnoticed.
Alongside promoting understanding, DORA also puts a strong emphasis on taking a proportional approach to addressing risks. Not every firm can afford the cost of implementing every single high-end security measure, so instead the expectation is to tailor their approach to align with the scale of potential threats and their unique operational complexity.
Smaller firms, for example, may focus on protecting a few key systems, while larger institutions will need broader strategies that encompass a diverse range of dependencies and attack surfaces.
This aligns well with approaches like Zero Trust which can be rolled out gradually in stages. The Zero Trust ethos of “never trust, always verify”, enforced through strict access controls, continuous monitoring, and segmentation, can have a powerful effect on reducing the spread of security breaches and mitigating the impact on operations.
Modern technologies like Zero Trust Segmentation, which applies Zero Trust principles through microsegmentation, is highly granular. So, while some companies may seek to implement segmentation across their entire operation, others can concentrate on a limited selection of critical assets.
DORA’s risk-based approach is one of its strengths, but also a challenge for organisations. They will need to work out their priorities and justify their actions to the regulators.
The role of third parties in DORA compliance
The mandate for operational resilience extends well beyond an organisation’s internal systems, placing significant emphasis on third-party risk management. This is another key trend in the world of regulation, and we’ve seen a similar emphasis in the recently enforced NIS2 among other.
This broadens the scope of compliance to include critical service providers like cloud vendors, payment processors, and managed service providers (MSPs). For financial institutions, third-party dependencies represent both a vital enabler of operations and a potential vulnerability.
Managing these relationships begins with identifying which suppliers are critical to key business processes. Organisations must map their supply chain to pinpoint dependencies that could disrupt operations if compromised. Importantly, this isn’t limited to technology providers—any external entity impacting core services must be considered.
Financial firms must ensure third parties meet stringent resilience standards. This involves establishing solid contractual agreements that clearly outline roles, responsibilities, and recovery objectives. Testing these suppliers’ systems as part of broader stress-testing exercises is equally crucial, ensuring they can support the institution’s resilience goals under pressure.
Progress over perfection: continuous improvement under DORA
DORA is very much positioned as the beginning of a journey rather than an endpoint. The regulation encourages financial institutions to adopt a mindset of continuous improvement, recognising that achieving absolute security is unrealistic. Instead, the focus is on making consistent, measurable progress.
Aligning with this expectation requires attainable goals for enhancing resilience. This involves conducting regular assessments to identify vulnerabilities and track improvements over time. For example, implementing a structured plan that includes periodic reviews and updates to security protocols ensures that defences evolve alongside emerging threats.
Leadership plays a pivotal role in this continuous improvement process. Executive buy-in is essential for fostering a culture that prioritises resilience. When leadership is actively involved, it signals the importance of these initiatives across all levels of the organisation, promoting a unified approach to compliance and security.
From compliance to resilience
Even if DORA were not compulsory, its principles should be seen as a chance to exceed basic compliance to build reliable, long-term operational resilience.
Its focus on real-world effectiveness and tackling third-party risks fosters a powerful competitive advantage. Those institutions that can prove they have taken steps to address challenges and secure their operations will also secure greater trust from their customers, investors, and other stakeholders – even aside from mitigating the risk of a catastrophically costly breach. Those doing the bare minimum meanwhile should consider how they’ll justify this to the regulators – and their stakeholders.
About the Author
Raghu Nandakumara is Head of Industry Solutions at Illumio based in London, UK, where he is responsible for helping customers and prospects through their segmentation journeys.? Previously, Raghu spent 15 years at Citibank, where he held several network security operations and engineering roles.
#Starting #Point #True #Cyber #Resilience