DORA: First steps towards compliance

Mark Coates, VP EMEA, Gigamon


Earlier this year, the Digital Operational Resilience Act (DORA) came into force, set on bolstering IT security resilience for Financial Services across the EU. This regulation is an essential shift for the industry, which is an attractive target for cybercriminals.

Financial services has been accelerating its digital transformation efforts, migrating to the cloud at pace to reap the benefits of cloud-based networks. But hybrid cloud infrastructures also bring security risks.  A recent report found that 42% of global IT and security leaders cite cloud apps as a common ransomware threat vector, and many simply don’t have the level of visibility needed to monitor this complex environment.

Mark Coates

DORA will play a significant role in reducing this risk for financial institutions, yet compliance and risk management can be daunting for business leaders without high level of experience in cybersecurity and insufficient visibility across their IT infrastructure. For security leaders and businesses navigating the compliance process, here are some essential first steps.


Deep observability is critical for compliance

DORA specifies that organisations need to continuously identify risks to set-up protection and prevention measures, promptly detect anomalous activities and quickly identify and eliminate any weaknesses, deficiencies, or gaps in digital operations. To comply with DORA, organisations must have total, deep observability across their entire infrastructure – from the core to the cloud – to establish their risk posture and resilience.

To achieve this, security teams need real-time, network-level intelligence to track activity across a network and eradicate blind spots, powered by deep observability. This means going beyond current log and trace-based monitoring tools, optimising and amplifying the power of these solutions to rapidly detect suspicious activity and act accordingly. Deep observability is critical for DORA compliance, and achieving it necessitates real-time, network-level intelligence to track network activity and eliminate blind spots.

Organisations must implement continuous monitoring and response mechanisms as soon as possible to identify and mitigate any threats. This includes real-time monitoring of network traffic, system logs, and endpoint devices, as well as detecting and responding using artificial intelligence and machine learning.


Conduct regular stress tests and scrutinise third party vendors

DORA also requires organisations to conduct regular stress tests to assess their systems’ resilience to potential attacks or other operational disruptions. This includes identifying and addressing any gaps in their cybersecurity measures, as well as testing for system vulnerabilities, weaknesses, and failures.

In addition to stress testing internal systems, financial institutions must ensure that their suppliers and vendors are DORA compliant, as their services and products may pose a threat to the organisation’s overall security posture. This entails conducting regular assessments and audits of third-party vendors and suppliers to ensure they adhere to the same cybersecurity and resilience standards as the organisation.

The risks posed by cyber threats are significant and can cause reputational damage to financial institutions. By taking a proactive approach to DORA compliance, the sector can protect their operations, their reputation, and their customers’ sensitive information.


Allocate adequate resources

The industry’s reliance on cloud computing demands a robust cybersecurity strategy. Compliance with regulations such as DORA is critical for financial institutions trading in the EU to protect their operations, reputation and sensitive customer information.

By implementing these initial steps, financial institutions can establish a strong foundation for DORA compliance. This is inclusive of real-time monitoring and response mechanisms, regular stress testing, and ensuring that third-party vendors and suppliers follow the rules. It is also critical to ensure that security measures keep up with hybrid cloud infrastructures and that adequate resources, including staffing, technology, and training, are allocated to cybersecurity.

Compliance with DORA is mandatory for financial organisations, with the deadline fast approaching in January 2025 and severe consequences for non-compliance, including potential jail time for the board. They must start their compliance journey now, using deep observability as a key part to ensure cybersecurity and reap the advantages of cloud computing securely.


Explore more