logo

Resilience and  DORA

Resilience has become a critical focus in modern cybersecurity and operational risk management. The Digital Operational Resilience Act (DORA) sets a new standard for how organizations in the EU financial sector must anticipate, withstand, and recover from ICT disruptions. DORA ensures that firms not only protect their digital services but also maintain business continuity under adverse conditions. It represents a shift from reactive incident response to proactive operational resilience.

Exploring

Resilience and  DORA

Resilience and DORA

Resilience has become one of the most vital pillars of cybersecurity and regulatory compliance in today’s digital economy. The financial sector, in particular, has recognized that protecting systems alone is not enough - organizations must be capable of withstanding, adapting to, and recovering from disruptions, attacks, or technical failures without jeopardizing critical operations.

The Digital Operational Resilience Act (DORA), established by the European Union, sets a comprehensive framework to ensure that all financial entities - and their critical third-party ICT service providers - achieve a high common level of digital operational resilience. DORA mandates that enterprises manage ICT risk holistically, implement robust incident reporting mechanisms, perform continuous testing, and maintain effective business continuity and disaster recovery capabilities.
The objective of DORA is not only compliance - it is to embed resilience as a strategic capability across governance, risk management, and technical design. Resilience, therefore, goes beyond preventing incidents; it ensures that even when systems fail, essential services remain operational, minimizing systemic impact and preserving stakeholder trust.
A well-defined resilience strategy operates on multiple levels - strategic, tactical, and operational. Strategically, resilience represents an organization’s long-term objective to stay functional and trusted despite constant change. Tactically, it involves translating resilience principles into architectures, technologies, and recovery frameworks. Operations put these into continuous practice through monitoring, testing, and adaptation. Strategy, Tactics, and Operations must interlock seamlessly to fulfill the intent of DORA.

As with Zero Trust, resilience is not a product but a posture - a cultural and structural commitment to continuity. Misunderstandings about Resilience and DORA often arise from viewing them merely as compliance checkboxes, rather than as enablers of sustainable digital confidence.

Misconceptions about Resilience and DORA:
- Resilience is not limited to cybersecurity - it spans governance, people, and processes.
- Compliance with DORA does not guarantee resilience - it provides the framework to achieve it.

Insights on Operational Resilience:

"Resilience is not the opposite of risk — it’s the capability to absorb risk without failure.

”Further details and implementation guidance can be found via the official European Commission DORA page and related EBA/ESMA/EIOPA publications.

Blog
Publications
Video Resources

Blog

No content available

No Available Content

Please feel free to browse other topics on the site.

Publications

ESAs publish first list of “Critical ICT Third-Party Providers” under DORA

Request Download

ISACA Round Table 2025 Oct 07 Cyber Threat Psychology

Request Download

Cyber Threat Psychology Research Group

Request Download

CSA Cyber Threat Psychology WG Session 20250310

Request Download

CSA Cyber Threat Psychology WG Session 20250224

Request Download

CSA Cyber Threat Psychology WG Session 20250210

Request Download

CSA Cyber Threat Psychology WG Abstract

Request Download

CISA: The Journey to Zero Trust

Microsegmentation in Zero Trust Part One: Introduction and Planning
Request Download

Zero Trust Guidance for Small and Medium Size Businesses (SMBs)

This publication provides guidance for small and medium-sized businesses (SMBs) transitioning to a Zero Trust architecture
Request Download

DoD Zero Trust Strategy

This Zero Trust strategy, the first of its kind for the Department, provides the necessary guidance for advancing Zero Trust concept development; gap analysis, requirements development, implementation, execution decision-making, and ultimately procurement and deployment of required ZT capabilities and activities which will have meaningful and measurable cybersecurity impacts upon adversaries. Importantly, this document serves only as a strategy, not a solution architecture. Zero Trust Solution Architectures can and should be designed and guided by the details found within this document.
Request Download

Department of Defense (DoD) Zero Trust Reference Architecture

The DoD Cybersecurity Reference Architecture (CS RA) documents the Department’s approach to cybersecurity and is being updated to become data centric and infuse ZT principles. ZT supports the 2018 DoD Cyber Strategy, the 2019 DoD Digital Modernization Strategy, the 2021 Executive Order on Improving the Nation’s Cybersecurity, and the DoD Chief Information Officer’s (CIO) vision for creating “a more secure, coordinated, seamless, transparent, and costeffective architecture that transforms data into actionable information and ensures dependable mission execution in the face of a persistent cyber threat.” 2 ZT should be used to re-prioritize and integrate existing DoD capabilities and resources, while maintaining availability and minimizing temporal delays in authentication mechanisms, to address the DoD CIO’s vision
Request Download

NSTAC Report

In May 2021, in the aftermath of a series of significant cybersecurity incidents, the White House tasked the President’s National Security Telecommunications Advisory Committee (NSTAC) with conducting a multi-phase study on “Enhancing Internet Resilience in 2021 and Beyond.” The tasking directed NSTAC to focus on three key
Request Download

Zero Trust Architecture

This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130.
Request Download

Zero Trust Maturity Model

Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. The goal is to prevent unauthorized access to data and services and make access control enforcement as granular as possible. Zero trust presents a shift from a location-centric model to a more data-centric approach for fine-grained security controls between users, systems, data and assets that change over time; for these reasons. This provides the visibility needed to support the development, implementation, enforcement, and evolution of security policies. More fundamentally, zero trust may require a change in an organization’s philosophy and culture around cybersecurity.
Request Download

NSA: Embracing a Zero Trust Security Model

As cybersecurity professionals defend increasingly dispersed and complex enterprise networks from sophisticated cyber threats, embracing a Zero Trust security model and the mindset necessary to deploy and operate a system engineered according to Zero Trust principles can better position them to secure sensitive data, systems, and services.
Request Download

Video Resources

Fortifying your Cloud Risk Governance Series: Defining Cloud Strategy

Published on
February 2, 2026

Fortifying your Cloud Risk Governance Series: Establishing Rock Solid Governance

Published on
August 17, 2024

Cyber Risk Management across the entire Supply Chain

Published on
August 17, 2024