I've been getting more and more questions about DORA as we inch closer to the January 2025 deadline. And it's not just the EU finance industry that's asking. Companies across this sector worldwide are gearing up to meet DORA's requirements.  

Are you ready?

Cyberattacks are growing more sophisticated and frequent. DORA is designed to make sure disruptions don’t cripple the financial sector. It’s about shifting from “How do we recover from a breach?” to “How do we keep things running even when the worst happens?”  

Today's financial systems must be able to not just survive but thrive in an increasingly hostile threat landscape.

What does DORA cover?

In a nutshell, DORA is an ICT risk management focussed regulation to improve cyber resilience that applies to all banking and financial institutions and their vendors operating in the EU.  

This includes banks, payment service providers, investment firms, insurance companies, and even crypto-asset service providers. It also applies to the third-party vendors that these institutions rely on, such as cloud service providers, IT support firms and data centers.

If you do business with the EU financial sector, you’re on the hook for DORA compliance, even if you’re not located in the EU.

What exactly does DORA mandate? It focuses on five key pillars:  

• Risk management

• Incident response

• Operational resilience

• Third-party risk

• Reporting requirements

Whether it’s a cyberattack, technical failure, or human error, financial entities must show they are resilient against attacks. In other words, they must prove they can handle disruptions with little effect to their operations.  

DORA requires organizations to have a rock-solid plan in place and be able to demonstrate you can execute it by January 2025.

Why the urgency?

Cyber threats aren’t going away. If anything, they’re getting worse, especially in the banking sector.

The International Monetary Fund (IMF) recently warned that the global financial system is a prime target for cyberattacks. Over the past 20 years, there have been over 20,000 attacks on banking, resulting in losses north of $12 billion.

DORA’s purpose is to make sure this onslaught of attacks can’t halt the world’s banking system.

The whole digital ecosystem that supports them needs to be just as resilient. DORA is all about strengthening the banking system’s interdependencies and making sure a hit to one doesn’t bring the whole system down.

Zero Trust: Best practice for DORA compliance

Zero Trust is a term you’ve probably heard thrown around a lot lately, and for good reason. Zero Trust isn’t just a buzzword. It’s a best-practice security strategy that aligns with DORA’s core objectives.  

The idea behind Zero Trust is simple: never trust, always verify. Traditional security models naively assume that every person, device, and workload already inside your network is safe and those outside it are dangerous. But Zero Trust takes a modern approach to cybersecurity. It treats everything as potentially dangerous until proven otherwise.   

With Zero Trust, every access request is authenticated, authorized, and continuously validated. This ensures that only the right people have access to the right resources at the right time.  

One of DORA’s key requirements is to limit unauthorized access and contain breaches quickly. Zero Trust makes this possible by enforcing strict controls and reducing the opportunities for an attacker to move freely through your network.

Why is this critical? Modern cyberattacks are stealthy. Hackers aren’t going to announce their arrival with a big flashing sign. They’ll try to slip in undetected, move silently, access sensitive data, and maybe even sit quietly, gathering intelligence for a later attack. Zero Trust makes this process much more difficult for attackers which limits any damage they can inflict.

DORA’s guidelines around risk management, incident response, and operational resilience all tie into a Zero Trust approach. While DORA doesn’t explicitly call out Zero Trust, its emphasis on reducing risks and building cyber resilience is in perfect alignment with Zero Trust principles. Plus, zero trust is scalable and adaptable, making it a great long-term security strategy as your organization evolves.

What’s next?

With January 2025 right around the corner, now’s the time to get serious about DORA. Start by mapping your assets, documenting your data flows, and using this information to build a Zero Trust strategy for your organization.

If you’re already ISO 27001 or NIST compliant, you’re ahead of the game. But you’ll still need to make some adjustments to meet DORA’s requirements.

This week, The Zero Trust Hub features:

• Gary Barlet, Illumio's Public Sector Chief Technology Officer, on tackling election security with Zero Trust.
• How internships can help fill the cybersecurity skills gap and help young talent enter the industry.
• Why the secret to securing distributed networks is alignment between cloud and security teams.

Are you ready for DORA? Read our ebook, Strategies for DORA Compliance: Key Role of Zero Trust Segmentation, to learn everything you need to know.