Ben Hunter, Senior Director of Financial Services at Gigamon, on the impact of the Digital Operational Resilience Act (DORA) and what financial institutions can do to ensure lasting compliance

The Digital Operational Resilience Act (DORA) came into force on January 17th. It’s high time for financial institutions to refine their compliance and Cybersecurity efforts. This regulation isn’t just another box-ticking exercise. It represents a shift in the financial services industry that touches everyone in the ecosystem. And every corner of the organisations within it. From IT teams to the board, every department must pull together under a cohesive cyber strategy to meet the challenge. It’s not simply about systems and software. DORA demands a cultural shift toward organisation-wide cyber resilience.

At this stage, the big changes should already be in place. However, the focus now must be on the finer details. The overlooked pieces that could potentially make or break compliance and prove extremely costly. Organisations must tweak processes and ensure every element of their plan works seamlessly and aligns with the broader goal of operational resilience. Here are three areas of focus to perfect preparedness and ensure DORA compliance is not just a box checked but a new standard embraced by the whole organisation.

Criticality of third-party Cybersecurity management

One of DORA’s requirements is reducing reliance on single ICT service providers. This is designed to safeguard financial institutions against concentrated risk. By now, all structural changes should already be in place, with organisations diversifying their ICT providers. Or improving internal capabilities to reduce their external dependencies. However, compliance doesn’t end with restructuring. The focus must now shift from restructuring to managing these relationships effectively. Organisations should be looking to perfect their third-party risk assessment, monitoring, and due diligence strategies. They must ensure their processes for vetting ICT service providers are not just in place but are meticulously detailed. Contracts need to leave no room for ambiguity, with explicit terms outlining providers’ security and risk management strategies. These agreements must be revisited and stress-tested to confirm they align with DORA’s standards.

Equally critical is ironing out the specifics of ongoing monitoring and oversight. Institutions should be finalising the structure and frequency of their performance reviews and audits. Ensuring these mechanisms are robust enough to identify and address any emerging vulnerabilities. Moreover, by focusing on the details now, organisations can build a resilient operational framework that doesn’t just meet DORA’s requirements but builds resilience into their core operations for years to come.

Global efficiency through multi-cloud environments

Adopting a multi-cloud strategy has become essential for financial institutions operating on a global scale. It mitigates concentrated risk by avoiding dependence on a single provider and allows organisations to address the unique regulatory and operational challenges of different regions. However, the complexity of multi-cloud environments brings its own challenges. Particularly in ensuring the visibility and control required under DORA. This is why it’s crucial for organisations and their third parties to refine the tools and processes that support this level of visibility and allow the security teams to continuously monitor their environments.

According to recent data, 50% of CISOs say their confidence in risk management hinges on having full visibility into all data in motion, including encrypted and lateral traffic across both on-premises and cloud environments. This underscores the importance of advanced monitoring capabilities to effectively manage the complexities of multi-cloud infrastructures. While DORA mandates comprehensive visibility, the benefits go beyond just meeting compliance requirements. Deep observability strengthens organisations’ ability to detect vulnerabilities in real-time, ensuring seamless operations across regions and providers, and service continuity. For multi-cloud strategies to be effective, they must be paired with the right network-level monitoring capabilities. It’s important to build resilience from the inside out.

Organisational alignment to demonstrate Cybersecurity compliance

Demonstrating compliance isn’t just about avoiding fines and ticking regulatory boxes. It’s about preserving trust and protecting the organisation’s reputation. Reputational damage and financial penalties hit the top of the organisation hardest. This makes board-level engagement essential to ensuring Cybersecurity efforts are prioritised and aligned with broader business objectives. Boards must recognise that Cybersecurity is not a siloed function; it’s a key aspect of business resilience.

While security leaders are responsible for designing and implementing security strategies, their ability to deliver is directly tied to the board’s involvement. Board members control the decisions that shape an organisation’s Cybersecurity posture, from budget allocation to strategic priorities. Without their active engagement, security leaders may lack the resources, influence, or organisational buy-in necessary to implement comprehensive security measures. This can lead to significant gaps in compliance efforts and overall resilience.

To demonstrate compliance effectively, organisations need a unified approach to gathering, standardising, and presenting evidence to regulatory authorities. This includes aligning on consistent formats for documenting key areas like risk assessments, incident management, security testing, and third-party oversight. By finalising internal policies and leveraging automation tools, institutions can ensure their compliance evidence is regulator-ready and accessible. Such coordination not only satisfies DORA’s demands but also signals a strong, unified commitment to operational resilience. One that must come from the top and ripple throughout the entire organisation.

With penalties for non-compliance reaching up to 2% of global annual turnover, financial institutions cannot afford to be anything less than fully aligned on their compliance strategies going forward. Furthermore, as the broader compliance frameworks are now finalised, the focus must shift to perfecting the finer details that will ensure long-term resilience and success.

About Gigamon

Gigamon offers a deep observability pipeline that efficiently delivers network-derived intelligence and insights to your cloud, security, and observability tools. This eliminates security blind spots, optimises network traffic and reduces tool costs. Therefore, enabling you to better secure and manage your hybrid cloud infrastructure.

  • Cybersecurity in FinTech

Martin Greenfield, CEO of Quod Orbis, on a troubling paradox within the cybersecurity landscape: despite substantial investments in security infrastructure, confidence levels and actual capabilities remain worryingly misaligned.

Financial institutions face concrete regulatory pressure on Cybersecurity with the European Union’s Digital Operational Resilience Act (DORA) coming into force in February. This landmark regulation demands robust ICT risk management and comprehensive security monitoring. Currently, many organisations continue to rely on disparate tools and spreadsheets that may leave them vulnerable to sophisticated threats. These include AI-powered deep fakes and targeted spear phishing campaigns.

This challenge transcends the financial sector as organisations across all industries face mounting pressure to demonstrate both security effectiveness and regulatory compliance. Our research reveals a stark reality. Organisations typically maintain an average of 19 security solutions per team. However, a surprising 41% still cite insufficient technology as the primary obstacle to maintaining a robust security posture.

This misalignment points to a fundamental issue. Organisations must recognise effective cybersecurity isn’t achieved through quantity of tools, but through strategic selection of the right solutions. Furthermore, perhaps most concerning is the false sense of security prevalent among IT decision-makers. While 93% express confidence in their infrastructure visibility tools, an alarming 95% acknowledge difficulties in accessing specific digital assets over the past year. This creates dangerous blind spots leaving organisations exposed to both security breaches and compliance shortfalls.

Understanding the Cybersecurity challenge

Today’s enterprise infrastructure resembles a tapestry of critical assets, connections and endpoints. To put this complexity into perspective: IT teams now manage an average of 31 endpoints per person across their organisation. For a company of 1,000 employees, this translates to more than 30,000 devices requiring constant monitoring and protection. This challenge intensifies with the widespread adoption of cloud services, hybrid working arrangements and an ever-growing ecosystem of connected devices.

Scale amplifies these difficulties markedly. Our research reveals organisations with more than 1,250 employees demonstrate the lowest confidence in their existing tools (88%) and face the greatest challenges in accessing critical assets (97%). Moreover, these larger enterprises typically wrestle with an unwieldy combination of legacy systems, bespoke solutions and modern platforms. This results in notably lower visibility rates (79%) compared to their smaller counterparts.

Perhaps most revealing is the stark confidence gap between technical and compliance teams. While 94% of information security directors express confidence in their system visibility, merely 66% of compliance directors share this outlook. This disparity exposes a crucial misalignment between technical capabilities and compliance requirements. One that poses serious operational risks as regulatory frameworks increasingly demand continuous monitoring. Organisations clinging to manual compliance processes face an unstable burden. Teams are stretched thin handling routine tasks while regulations grow more complex. Embracing automated technologies to handle routine monitoring requirements will allow compliance teams to pivot from being reactive box-checkers to strategic risk managers.

Moving from reaction to prevention

The impulse to combat emerging threats by rapidly acquiring new security solutions has led many organisations to create sprawling, inefficient systems. These often compound the very problems they aim to solve.

This reactive approach has trapped organisations in a costly cycle of diminishing returns. Despite substantial technology investments, nearly 40% of firms report a troubling lack of actionable intelligence, while 37% struggle with budget limitations. This paradox is increasingly drawing board-level scrutiny. And rightfully so. After years of approving emergency technology purchases to plug cybersecurity gaps, boards are now questioning the value of new investments. Furthermore, tthis creates a dangerous stalemate: organisations need smarter, not just more, technology investment.

However, a more strategic approach is gaining traction through integrated system monitoring platforms. These comprehensive solutions unite previously disconnected tools under a single dashboard. This can offer real-time visibility across the entire cybersecurity landscape. This unified approach enables teams to identify and address vulnerabilities before they evolve into security incidents. A capability that resonates with the 82% of organisations who recognise enhanced visibility would substantially strengthen their cybersecurity posture.

It’s encouraging that 72% of IT teams have secured increased budgets over the past three years. However, the path forward requires more than mere financial investment. Organisations must shift from reactive spending to strategic deployment. Although this presents its own challenge: convincing board members that additional tooling represents an investment in comprehensive visibility rather than merely plugging security gaps.

The path forward

The transformation from fragmented security to comprehensive oversight demands more than technological upgrades. It requires a fundamental reimagining of how organisations approach cybersecurity monitoring and compliance.

The advantages of this strategic shift are compelling and quantifiable. Our analysis reveals security teams anticipate multiple efficiency gains: 38% expect automation to streamline document creation, 37% foresee improved board pack preparation, and 36% anticipate dedicating more time to strategic security assessments. Perhaps most significantly, 35% predict a reduction in human error alongside enhanced data accuracy. The efficiency gains are substantial. Teams could reclaim up to 60 hours annually per member on board reporting alone, time better invested in strategic security initiatives.

With regulatory frameworks growing increasingly sophisticated across sectors, including the forthcoming DORA regulation, maintaining current practices is no longer viable. The disparity between perceived and actual security capabilities poses a tangible risk that organisations must address proactively.

About Quod Orbis

Quod Orbis is the single source of truth across security, risk and compliance, providing an orchestration layer for the entire tech stack whether in the cloud, on-premise, legacy or bespoke. Founded in 2018, Quod Orbis became part of Dedagroup, one of the leading Italian IT players, in 2024.

A pioneer in Continuous Controls Monitoring (CCM), Quod Orbis provides complete and constant visibility into a company’s cybersecurity, compliance and risk posture. Quod Orbis’ ability to connect with every piece of technology within a business, unrivalled automation capabilities and continual support enables the company to serve a global client base across a wide variety of industries.

  • Cybersecurity in FinTech