/
Cyber Resilience

Preparing for DORA: Insights from 2 Cybersecurity Compliance Experts

Black and white headshots of Mark Hendry and Tristan Morgan

The European Union’s Digital Operational Resilience Act (DORA) is set to reshape the financial services industry in January 2025. It sets a new standard for cybersecurity and operational resilience.

While the shift to DORA has its challenges, it also offers a way for organizations to strengthen their operations and prepare for today’s complex threat landscape.

On The Segment: A Zero Trust Leadership Podcast, I spoke with two security compliance leaders — Tristan Morgan, managing director of cybersecurity at BT, and Mark Hendry, digital services partner at Evelyn Partners — who shared their insights on navigating DORA compliance.

About Tristan Morgan and Mark Hendry

Tristan leads cybersecurity at BT which provides security, cloud, and network services to global multinational companies worldwide. His experience in cybersecurity for the UK government and other countries has given him a strong background in securing complex digital ecosystems and ensuring compliance.  

At Evelyn Partners, Mark guides clients through complex cybersecurity compliance challenges. He has extensive experience in digital regulatory spaces, including GDPR, and a focus on regulatory change programs. He offers clients valuable insights into navigating digital transformation and adapting to new regulations like DORA.

DORA: A holistic approach to banking cyber resilience

DORA is a big change in how the banking and financial industry handles resilience, both in terms of operations and cybersecurity. Instead of separate rules for each country, DORA treats cyber resilience as a coordinated effort across all of the EU.

“DORA takes the resilience conversation to a higher level,” Tristan explained. “It recognizes the impact that can happen not just at an individual country level but at a broader geographical level.”

Mark noted that he considers it the “biggest resilience intervention in financial services since after the 2008 crash.” After 2008, it was all about financial resilience and keeping cash in the system, Mark explained. Now, the global economy is increasingly interconnected, and society relies heavily on the banking industry’s digital infrastructure.

As financial institutions in the EU become more connected, the risk from cyber threats and the disruption they can cause grows quickly. DORA tackles this by encouraging a unified strategy, helping organizations protect their critical operations no matter where they are.

“If you have different interpretations of cybersecurity and resilience, then you don’t have harmonization – you’re not moving all in the same direction,” Tristan said. “Security is very much a team sport, and you have to share information between organizations to be better together.”

With DORA, financial organizations in the EU will follow one set of rules. This helps strengthen the industry's overall defense against breaches and ransomware attacks. It also makes it easier for companies to stay compliant as the industry changes and grows.

Black and white banking data on a computer screen

Cyber resilience is about survival, not just security

Resilience is the main focus of DORA. It’s not just about stopping breaches but also making sure that businesses can keep running if a breach happens.

Recent finance industry cyberattacks have shown how disruptive they can be and how they can affect the entire industry and even the world.

“Resilience is everything,” Tristan said. “When a breach happens, it’s not about whether the business will stop. It’s about maintaining operations despite the breach.”  

With more cyber threats happening, it’s important for businesses, especially in banking, to keep running smoothly. A breach in the banking sector can affect people’s lives and jobs. Cyber resilience is about survival, not just about staying secure.

Using a zero-trust strategy to achieve DORA compliance

DORA doesn't explicitly mention zero trust. But the underlying principles of zero trust align closely with the DORA's objectives.  

To Mark’s point, “If you did a search on DORA and looked for terms like ‘segmentation’ or ‘instantaneous severing of elements of the network to contain threats,’ zero trust is absolutely in there.”

Black and white banking professional looking at data on a laptop

Tristan explained the four crucial areas where a zero-trust strategy can help you meet DORA requirements:

  • Identify critical assets and threats: Get visibility across your network so that you can understand what is most vulnerable and needs to be addressed first.
  • Proactively prepare for attacks: Build security controls that contain attacks before they can reach critical resources and data.
  • Least privilege: A core principle of zero trust, least privilege ensures that users, apps, and services only have the minimum access they need to perform their roles. This slows down attackers as they try to move through the network.
  • Quickly respond and recover from incidents: When a breach does happen, it’s crucial to be able to detect, contain, and respond as fast as possible. Zero-trust solutions like Illumio integrate with detection platforms to automate this process.

DORA’s rules align with zero-trust best practices, showing its forward-thinking approach. By including these principles in its compliance rules, DORA helps banks protect against threats and stay up-and-running even during an attack.

Behind on DORA compliance? Here’s what to do

Achieving DORA compliance will require financial organizations to approach the process thoughtfully and strategically. Both Tristan and Mark underscored that proactive planning is essential.  

January will be here before you know it. If you’re worried your organization is already behind, Mark recommendations you think about:

  • What's going to hurt most if there’s an attack
  • What you need to prioritize now
  • What can get kicked into next year’s planning

Organizations should focus on high-impact areas first. Map out a long-term compliance plan that gives you sustainable protection, not just short-term fixes.

Listen, subscribe, and review The Segment: A Zero Trust Leadership Podcast

Want to learn more? Listen to the full episode on our website, Apple Podcasts, Spotify, or wherever you get your podcasts. You can also read the full transcript of the episode.

Download our free ebook, Strategies for DORA Compliance: Key Role of Zero Trust Segmentation, to get everything you need to know about DORA.

Related topics

Related articles

What President Biden’s New Security Policy Means for the Future of Cyber
Cyber Resilience

What President Biden’s New Security Policy Means for the Future of Cyber

The Biden Administration just cemented its legacy in cybersecurity policy with a sweeping Executive Order aimed at improving the resilience and reducing the risk of the United States Government.

Take Me to Your Domain Controller: Protections & Mitigations Using Zero Trust Tools
Cyber Resilience

Take Me to Your Domain Controller: Protections & Mitigations Using Zero Trust Tools

In part 1 of this blog series, we looked at how discovery methods can be used in an initial compromise.

Preparing For Zero-Day Exploits Like MOVEit? Get Application Visibility
Cyber Resilience

Preparing For Zero-Day Exploits Like MOVEit? Get Application Visibility

Learn why comprehensive application visibility is essential to prepare for zero-day exploits like MOVEit and how Illumio can help.

How to Achieve DORA Compliance With Illumio
Cyber Resilience

How to Achieve DORA Compliance With Illumio

Learn the three tools available in the Illumio Zero Trust Segmentation (ZTS) Platform that will help you build DORA compliance.

Ensure DORA Compliance: What You Need to Know
Cyber Resilience

Ensure DORA Compliance: What You Need to Know

Get the information you need to begin preparing to comply with the EU's upcoming DORA mandates for banking and financial services.

The EU's NIS2 and DORA Security Directives: What You Need to Know
Cyber Resilience

The EU's NIS2 and DORA Security Directives: What You Need to Know

Learn the 3 ways Illumio Zero Trust Segmentation can help achieve NIS2 and DORA compliance.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?