Will the EU Banking Industry Be Prepared for DORA?
In January 2025, financial institutions in Europe face a major test: the Digital Operational Resilience Act (DORA).
DORA combines ICT risk and resilience rules into one unified framework. But will financial organizations be ready?
Many are racing against the clock. Tight timelines and evolving standards are making preparation harder.
As Raghu Nandakumara, senior director of industry solutions marketing at Illumio, explains, “Banks would have benefited from clearer technical standards earlier. The standards came in two waves: one in early 2022 and the second in mid-2024. This left less than 12 months before the January 17th deadline.”
Unpacking DORA
What does DORA require by the deadline? It’s not just about protecting systems. The focus is on keeping critical services running — even during disruptions.
To meet DORA’s standards, financial institutions must:
- Test ICT systems regularly
- Manage risks with third-party providers
- Ensure essential services stay operational, no matter what
“DORA has a clear focus: reduce the impact of incidents. The approach? Assume breaches will happen.” – Raghu Nandakumara
The top 6 challenges of DORA compliance
1. Tight timelines, evolving standards
The rules explaining DORA’s requirements, called regulatory technical standards (RTSs), were released late. The first version came out in January 2024, and the second followed in July. With less than a year to prepare, meeting the requirements has turned into a race against time.
2. Managing third-party providers
Third-party providers — like hyperscalers and managed service providers (MSPs) — are key to financial services. But here’s the challenge: Who decides if a vendor falls under DORA’s scope? “Does the financial institution or the regulator decide this?” asks Raghu.
For smaller MSPs, the hurdles are even higher. Compliance depends on their role in financial processes. Without clear rules, it’s tough to know what’s required. Fixing this requires two things:
- Clearer guidelines
- Stronger collaboration with vendors
3. Aligning governance and leadership
DORA places operational resilience at the top of the leadership agenda. Boards must:
- Set clear ICT risk limits
- Monitor major incidents
- Ensure the right resources are in place
Yet, many organizations lack the structure and awareness to meet these goals.
4. Testing and steady improvement
Testing plays a key role in DORA compliance. Organizations must:
- Run yearly resilience tests on ICT systems
- Conduct advanced penetration tests every three years
“Testing helps identify gaps and develop improvement plans, driving progress to maturity. Yet, these tests are resource-heavy and require teamwork across departments and vendors. – Raghu Nandakumara
5. Building a resilient culture
DORA isn’t about checking boxes. It’s about staying prepared. Leadership must:
- Champion operational resilience
- Foster teamwork across departments
A cultural shift may be critical to long-term success.
6. Skills gap: Growing pressure
The global cybersecurity workforce gap — estimated at 4 million — worsens DORA’s challenges. A strong compliance program can ease this pressure. It simplifies efforts while delivering broader operational benefits.
"DORA’s new mandates add pressure to security operations, policy, and audit teams." – Raghu Nandakumara
How do DORA and Zero Trust align?
Does DORA mention Zero Trust? Not directly. But its key ideas — like least privilege access and continuous monitoring — align closely.
Zero Trust’s philosophy, “never trust, always verify,” reduces risk by making every user, device, application, and workload get authenticated before it gets access to .
How does it help with today’s biggest cyber risks?
- Stops ransomware: Reduce the impact of ransomware attacks by limiting how far it can spread through the network.
- Secures the cloud: Dynamic policies protect the hybrid multi-cloud.
- Manages third-party risks: Restrict vendor access to critical systems. Control how much access vendors have to critical systems.
Countdown to January 17
The clock is ticking. Testing, third-party oversight, and resilience planning aren’t optional. It requires proactive strategies and a cultural shift toward resilience.
As Raghu explained, “The EU wants progress, not perfection. They want to see how organizations interpret the requirements and what they have achieved.”
Are you interested in learning more about DORA compliance? Download our free eBook, Strategies for DORA Compliance: The Key Role of Microsegmentation. Find out how microsegmentation can improve your organization’s security.