What does it mean to be secure in your sector? While every organization has its own cyber security policies, numerous pieces of legislation also set out minimum requirements for security that firms must reach or else be held accountable through fines. The EU’s Digital Operational Resilience Act – which came into force in 2023 and applies from 17 January 2025 – aims to do just this for financial entities within the region. But what does being DORA-ready mean in practice? And how will the legislation add to the responsibilities of IT professionals? In this episode, Jane and Rory speak to John Stevenson, Technical Director at Skybox, to better understand the EU’s Digital Operational Resilience Act and what it means for businesses.
Highlights “So obviously many organizations, not least in the financial sector, will have, you know, red teaming and penetration testing activities and exercises that they do, however, to augment that, being able to model the environment is actually a pretty important thing when it comes to enhancing your cyber resilience.” “The worry is, of course, that if there's a compromise somewhere, then it can spread across the domains if you will. Therefore, what DORA essentially says is you have to know what your connections are to third parties.
And you have to know the precise nature of those connections, obviously, with the view to being able to isolate them if you need to. “This is a much more systematic approach. This says you need to be continuously managing your exposure.
It says you need to take a risk-based approach, and that means you need to look at your organizational risk and how you're going to what tools and methodologies you're going to use to deal with that because they're not going to be the same across every bit of every organization.” Footnotes Subscribe.
Technology
What DORA means for business
Stringent requirements for third party monitoring and ongoing resilience testing could help put businesses on the best track for security