Preparing for DORA: Insights from 2 Cybersecurity Compliance Experts
The European Union’s Digital Operational Resilience Act (DORA) is set to reshape the financial services industry in January 2025. It sets a new standard for cybersecurity and operational resilience.
While the shift to DORA has its challenges, it also offers a way for organizations to strengthen their operations and prepare for today’s complex threat landscape.
On The Segment: A Zero Trust Leadership Podcast, I spoke with two security compliance leaders — Tristan Morgan, managing director of cybersecurity at BT, and Mark Hendry, digital services partner at Evelyn Partners — who shared their insights on navigating DORA compliance.
About Tristan Morgan and Mark Hendry
Tristan leads cybersecurity at BT which provides security, cloud, and network services to global multinational companies worldwide. His experience in cybersecurity for the UK government and other countries has given him a strong background in securing complex digital ecosystems and ensuring compliance.
At Evelyn Partners, Mark guides clients through complex cybersecurity compliance challenges. He has extensive experience in digital regulatory spaces, including GDPR, and a focus on regulatory change programs. He offers clients valuable insights into navigating digital transformation and adapting to new regulations like DORA.
DORA: A holistic approach to banking cyber resilience
DORA is a big change in how the banking and financial industry handles resilience, both in terms of operations and cybersecurity. Instead of separate rules for each country, DORA treats cyber resilience as a coordinated effort across all of the EU.
“DORA takes the resilience conversation to a higher level,” Tristan explained. “It recognizes the impact that can happen not just at an individual country level but at a broader geographical level.”
Mark noted that he considers it the “biggest resilience intervention in financial services since after the 2008 crash.” After 2008, it was all about financial resilience and keeping cash in the system, Mark explained. Now, the global economy is increasingly interconnected, and society relies heavily on the banking industry’s digital infrastructure.
As financial institutions in the EU become more connected, the risk from cyber threats and the disruption they can cause grows quickly. DORA tackles this by encouraging a unified strategy, helping organizations protect their critical operations no matter where they are.
“If you have different interpretations of cybersecurity and resilience, then you don’t have harmonization – you’re not moving all in the same direction,” Tristan said. “Security is very much a team sport, and you have to share information between organizations to be better together.”
With DORA, financial organizations in the EU will follow one set of rules. This helps strengthen the industry's overall defense against breaches and ransomware attacks. It also makes it easier for companies to stay compliant as the industry changes and grows.
Cyber resilience is about survival, not just security
Resilience is the main focus of DORA. It’s not just about stopping breaches but also making sure that businesses can keep running if a breach happens.
Recent finance industry cyberattacks have shown how disruptive they can be and how they can affect the entire industry and even the world.
“Resilience is everything,” Tristan said. “When a breach happens, it’s not about whether the business will stop. It’s about maintaining operations despite the breach.”
With more cyber threats happening, it’s important for businesses, especially in banking, to keep running smoothly. A breach in the banking sector can affect people’s lives and jobs. Cyber resilience is about survival, not just about staying secure.
Using a zero-trust strategy to achieve DORA compliance
DORA doesn't explicitly mention zero trust. But the underlying principles of zero trust align closely with the DORA's objectives.
To Mark’s point, “If you did a search on DORA and looked for terms like ‘segmentation’ or ‘instantaneous severing of elements of the network to contain threats,’ zero trust is absolutely in there.”
Tristan explained the four crucial areas where a zero-trust strategy can help you meet DORA requirements:
- Identify critical assets and threats: Get visibility across your network so that you can understand what is most vulnerable and needs to be addressed first.
- Proactively prepare for attacks: Build security controls that contain attacks before they can reach critical resources and data.
- Least privilege: A core principle of zero trust, least privilege ensures that users, apps, and services only have the minimum access they need to perform their roles. This slows down attackers as they try to move through the network.
- Quickly respond and recover from incidents: When a breach does happen, it’s crucial to be able to detect, contain, and respond as fast as possible. Zero-trust solutions like Illumio integrate with detection platforms to automate this process.
DORA’s rules align with zero-trust best practices, showing its forward-thinking approach. By including these principles in its compliance rules, DORA helps banks protect against threats and stay up-and-running even during an attack.
Behind on DORA compliance? Here’s what to do
Achieving DORA compliance will require financial organizations to approach the process thoughtfully and strategically. Both Tristan and Mark underscored that proactive planning is essential.
January will be here before you know it. If you’re worried your organization is already behind, Mark recommendations you think about:
- What's going to hurt most if there’s an attack
- What you need to prioritize now
- What can get kicked into next year’s planning
Organizations should focus on high-impact areas first. Map out a long-term compliance plan that gives you sustainable protection, not just short-term fixes.
Listen, subscribe, and review The Segment: A Zero Trust Leadership Podcast
Want to learn more? Listen to the full episode on our website, Apple Podcasts, Spotify, or wherever you get your podcasts. You can also read the full transcript of the episode.
Download our free ebook, Strategies for DORA Compliance: Key Role of Zero Trust Segmentation, to get everything you need to know about DORA.