/
Cyber Resilience

Will the EU Banking Industry Be Prepared for DORA?

In January 2025, financial institutions in Europe face a major test: the Digital Operational Resilience Act (DORA).  

DORA combines ICT risk and resilience rules into one unified framework. But will financial organizations be ready?

Many are racing against the clock. Tight timelines and evolving standards are making preparation harder.

As Raghu Nandakumara, senior director of industry solutions marketing at Illumio, explains, “Banks would have benefited from clearer technical standards earlier. The standards came in two waves: one in early 2022 and the second in mid-2024. This left less than 12 months before the January 17th deadline.”

Unpacking DORA

What does DORA require by the deadline? It’s not just about protecting systems. The focus is on keeping critical services running — even during disruptions.

To meet DORA’s standards, financial institutions must:

  • Test ICT systems regularly
  • Manage risks with third-party providers
  • Ensure essential services stay operational, no matter what
“DORA has a clear focus: reduce the impact of incidents. The approach? Assume breaches will happen.” – Raghu Nandakumara

The top 6 challenges of DORA compliance

1. Tight timelines, evolving standards

The rules explaining DORA’s requirements, called regulatory technical standards (RTSs), were released late. The first version came out in January 2024, and the second followed in July. With less than a year to prepare, meeting the requirements has turned into a race against time.

2. Managing third-party providers

Third-party providers — like hyperscalers and managed service providers (MSPs) — are key to financial services. But here’s the challenge: Who decides if a vendor falls under DORA’s scope? “Does the financial institution or the regulator decide this?” asks Raghu.

For smaller MSPs, the hurdles are even higher. Compliance depends on their role in financial processes. Without clear rules, it’s tough to know what’s required. Fixing this requires two things:

  • Clearer guidelines
  • Stronger collaboration with vendors
3. Aligning governance and leadership

DORA places operational resilience at the top of the leadership agenda. Boards must:

  • Set clear ICT risk limits
  • Monitor major incidents
  • Ensure the right resources are in place

Yet, many organizations lack the structure and awareness to meet these goals.

4. Testing and steady improvement

Testing plays a key role in DORA compliance. Organizations must:

  • Run yearly resilience tests on ICT systems
  • Conduct advanced penetration tests every three years
“Testing helps identify gaps and develop improvement plans, driving progress to maturity. Yet, these tests are resource-heavy and require teamwork across departments and vendors. – Raghu Nandakumara
5. Building a resilient culture

DORA isn’t about checking boxes. It’s about staying prepared. Leadership must:

  • Foster teamwork across departments

A cultural shift may be critical to long-term success.

6. Skills gap: Growing pressure

The global cybersecurity workforce gap — estimated at 4 million — worsens DORA’s challenges. A strong compliance program can ease this pressure. It simplifies efforts while delivering broader operational benefits.

"DORA’s new mandates add pressure to security operations, policy, and audit teams." – Raghu Nandakumara

How do DORA and Zero Trust align?

Does DORA mention Zero Trust? Not directly. But its key ideas — like least privilege access and continuous monitoring — align closely.

Zero Trust’s philosophy, “never trust, always verify,” reduces risk by making every user, device, application, and workload get authenticated before it gets access to .

How does it help with today’s biggest cyber risks?

  • Stops ransomware: Reduce the impact of ransomware attacks by limiting how far it can spread through the network.
  • Manages third-party risks: Restrict vendor access to critical systems. Control how much access vendors have to critical systems.

Countdown to January 17

The clock is ticking. Testing, third-party oversight, and resilience planning aren’t optional. It requires proactive strategies and a cultural shift toward resilience.  

As Raghu explained, “The EU wants progress, not perfection. They want to see how organizations interpret the requirements and what they have achieved.”

Are you interested in learning more about DORA compliance? Download our free eBook, Strategies for DORA Compliance: The Key Role of Microsegmentation. Find out how microsegmentation can improve your organization’s security.

Related topics

Related articles

Industry Experts on the 3 Most Important Cybersecurity Best Practices
Cyber Resilience

Industry Experts on the 3 Most Important Cybersecurity Best Practices

Get top cybersecurity tips you need to be implementing now from leaders at Microsoft, IBM, Cylera, AWS, and more.

Should We Worry About Cybersecurity Becoming Too Dependent on AI?
Cyber Resilience

Should We Worry About Cybersecurity Becoming Too Dependent on AI?

Get insight into why AI is a boon for cybersecurity despite its weaknesses and how combining the power of AI with the human intellect can alleviate fears about AI overreliance.

Ensure DORA Compliance: What You Need to Know
Cyber Resilience

Ensure DORA Compliance: What You Need to Know

Get the information you need to begin preparing to comply with the EU's upcoming DORA mandates for banking and financial services.

BT and Illumio: Simplifying DORA Compliance
Cyber Resilience

BT and Illumio: Simplifying DORA Compliance

Get insight from BT’s Senior Consultancy Specialist Justin Craigon on preparing for DORA compliance by its January 17, 2025 deadline.

How to Achieve DORA Compliance With Illumio
Cyber Resilience

How to Achieve DORA Compliance With Illumio

Learn the three tools available in the Illumio Zero Trust Segmentation (ZTS) Platform that will help you build DORA compliance.

Preparing for DORA: Insights from 2 Cybersecurity Compliance Experts
Cyber Resilience

Preparing for DORA: Insights from 2 Cybersecurity Compliance Experts

Get insights from Tristan Morgan, managing director of cybersecurity at BT, and Mark Hendry, digital services partner at Evelyn Partners, on navigating DORA compliance.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?