DORA - The Regulatory Awakening

Uploaded on 2025-06-03 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-Financial

In today’s digital age, AI-enabled attacks have never been more prevalent. From deepfake attacks to the rapid dissemination of malware techniques, AI tools are falling into malicious hands, and cyber criminals are increasingly leveraging it to compromise user credentials to access confidential data. 

Amid this sophisticated threat landscape, organisations of all shapes and sizes are at risk of attack. However, sitting on vast amounts of lucrative data and confidential assets, the financial services industry is top of cyber criminals hit lists.  
 
As the scale and severity of attacks grow, the EU’s new Digital Operational Resilience Act (DORA) comes at a crucial time. With nearly 50% of financial organisations surveyed experiencing a security breach in the past two years, DORA is a vital step towards strengthening the sector’s cyber resilience. 

Under DORA, financial institutions operating in the EU, and their third-party information communication and technology (ICT) providers, must adhere to new technical requirements aimed at helping organisations recover from cyber risk.  

Enforcement of DORA compliance is now in full force, and organisational resilience must remain front of mind. Organisations need to establish clear policies for managing ICT risk, particularly those related to outdated systems and unauthorised access. 

Navigating Supply Chain Complexities  

Cyber risks in financial services have been heightened by the growth of large and often complex supply chains. Whether through acquisitions or onboarding new partners, larger supply chains allow for more identities to operate freely within the chain – often unchecked.   
  
This rise of temporary employees, partners, and contractors entering systems means identities can easily fly under the radar, leading to security risks like ‘overprovisioned’ access. In fact, nearly 80% of financial organisations surveyed are concerned about vulnerabilities resulting from the overprovisioning of non-employees, according to our research.  
 
This lack of visibility is a cause for concern. Not only is there a risk of identities being compromised by bad actors, who can then gain access to confidential systems, but users with too much access can cause unintentional mishaps, like deleting important files. 
  
The proliferation of third-party identities is a growing problem, but the challenge is heightened by the increasing number of applications those users need access to and the range of entitlements that must be managed.   
  
For stretched IT teams - many still reliant on legacy tools and manual processes - this creates an overwhelming burden. Managing hundreds of users manually is an almost impossible task, often resulting in loosely controlled access, poor oversight, and increased cyber risk.  

The Burden Of Legacy Technology   

Managing ICT risks associated with overprovisioned identities must be a top priority for organisations. However, 53% of surveyed financial organisations manage this data manually, making compliance a daunting task. Any lack of visibility can create significant security gaps, leaving businesses open to attack.   
 
ICT teams must carefully control which identities in their supply chain have access - to what, when, and for how long. Access should be granted strictly on a need-to-know basis, with rigorous management of onboarding, offboarding, and the entire identity lifecycle in between.

Enhancing visibility into these identities is crucial for mitigating risk.  
  
To reduce the manual pressures of this task, AI serves as a silent but effective partner. Technology such as AI-enabled identity security can automate these tasks and seamlessly manage access requirements in real-time. This real-time oversight enables IT teams to keep on top of the surge in identities needing access to different applications, ensuring that each identity only has as much access as is required to perform their role.   
  
Today, sophisticated AI-enabled identity security solutions are already impacting how organisations see, manage, control, and secure all variations of identity. This technology also helps to reduce the attack surface, enabling easy detection of suspicious and unusual behaviour well ahead of a breach, easing the burden on IT teams and supporting compliance efforts.  

A Comprehensive Picture   

Despite robust preventative measures, security breaches are inevitable. To comply with DORA, financial firms should standardise ICT-related incident management and reporting processes to understand how incidents happened and users’ roles. In the event of a breach, detailed information must be collected and shared to identify attack patterns and enhance cyber resilience.  
  
To support incident reporting, modern identity security systems can help provide a comprehensive picture of events. In recent years, there has been a rapid growth of identity threat detection and response (ITDR) solutions, which enrich the context of security incident analyses so organisations can better identify unusual patterns of behaviour, enabling more proactive and predictive capabilities.   
  
ITDR solutions, combined with identity security solutions, provide an incredible amount of context in real time, helping organisations to identify threatening activity and what remediation is needed - all in a single source of truth. AI, combined with the power of unified identity data, is a clear path forward to help stay ahead of threats today.  

Making Regulation A Reality   

Amid the pervasiveness of sophisticated threats, DORA compliance is non-negotiable - but it also shouldn’t be seen as a mere box to tick. To simplify compliance complexities, adopting a proactive, AI-driven identity security strategy will be crucial in enhancing visibility and governance over ICT risks.

Improving oversight of users and access requirements within intricate financial supply chains will be vital for closing security gaps and ensuring a resilient future. 

Mo Joueid is Identity Security Consultant at SailPoint 

Image: Ideogram

You Might Also Read:

How To Streamline Compliance With NIS2 & DORA:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Large-Scale Data Exposure Discovered
Tesco Website & App Outage Sparks Customer Frustration »

Infosecurity Europe
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Biscom

Biscom

Biscom offers solutions for secure file transfer, synchronization, file translation, and mobile devices, designed to deliver mission-critical reliability, streamline workflows and reduce costs.

ThreatConnect

ThreatConnect

ThreatConnect is an enterprise threat intelligence platform by Cyber Squared bridging incident response, defense, and threat analysis for InfoSec & DFIR teams.

Niagara Networks

Niagara Networks

Niagara Networks is a Network Visibility industry leader, with emphasis in 1/10/40/100 Gigabit systems and mission-critical IT and security appliances.

Caulis

Caulis

Caulis FraudAlert is a cyber security solution. It can detect fraud and identity theft based on users’ online behaviour.

Clavis Information Security

Clavis Information Security

Clavis is an Information Security company offering a complete portfolio of solutions from Pentesting and Security Assessments to Managed Security Services and Training.

Thrive

Thrive

Thrive delivers the experience, resources, and expertise needed to create a comprehensive cyber security plan that covers your vital data, SaaS applications, end users, and critical infrastructure.

Synamic Technologies

Synamic Technologies

Synamic Technologies was founded in 2018 as a start-up to automate cyber security processes. Our CISOSCOPE product automates vulnerability management, risk management and compliance.

Belcan

Belcan

Belcan is a global supplier of engineering, manufacturing & supply chain, workforce and government IT solutions to customers in the aerospace, defense, automotive, industrial, and private sector.

SessionGuardian

SessionGuardian

SessionGuardian (formerly SecureReview) is the world's first and only technology which ensures second-by-second biometric identity verification of your remote user, from log on to log off.

R-Tech

R-Tech

R-Tech GmbH manages the digital start-up initiative, whose goal is to build a sustainable start-up culture in the field of digitization throughout the Upper Palatinate district of Bavaria.

Zaviant Consulting

Zaviant Consulting

Zaviant Consulting is a leading data security and privacy consulting firm assisting organizations comply with constantly evolving security frameworks and privacy regulations.

Third Point Ventures

Third Point Ventures

Third Point brings deep technical expertise, a strong network of relationships, and decades of investing experience to add value to our partners throughout their journey from idea to IPO and beyond.

Novem CS

Novem CS

Novem CS are bespoke cyber security specialists providing a highly effective and specialised approach to solving your cyber security challenges.

Proaxiom

Proaxiom

Proaxiom are focused on erasing cyber driven panic paralysis for Small and Medium Enterprises through brilliant cyber technologies which drive productivity and support growth.

ESProfiler

ESProfiler

Enterprise Security Profiler. Empowering CISOs with clarity & confidence in their security programme by visualising capabilities, usage and spend against their key threat priorities.

Quantum Bridge

Quantum Bridge

Our unbreakable key distribution technology ensures the highest level of protection for your critical infrastructure and sensitive data in an evolving digital landscape.