DORA reshaping financial security

Welcome reader to your CybersecurityHQ report

-

Brought to you by:

👉 Cypago - Enterprise-grade Cyber GRC Platform

Cypago enables strategic decision making through a full Cyber GRC product suite to help you avoid business reputation impact, financial or client trust losses

-

This newsletter is inspired by a deep analysis of Nikesh Arora, CEO of Palo Alto Networks, and his strategic approach to cybersecurity. It embodies his leadership style, forward-thinking mindset, and innovative insights. While not an exact representation, this analysis reflects key elements of Arora's vision for the future of cybersecurity, offering insights to guide proactive strategies and innovation.

Forwarded this email? Join 70,000 weekly readers by signing up now.

-

As of January 17, 2025, the EU’s Digital Operational Resilience Act (DORA) will officially come into effect, marking a monumental shift in how financial institutions approach cybersecurity and operational resilience. With my years of experience in technology, finance, and cybersecurity, I am more convinced than ever that DORA is not merely a regulatory framework—it's the catalyst for a new era in financial sector security.

Reflecting on DORA, I am reminded of a conversation I had with Larry Page at Google many years ago. We were discussing Android's potential impact on mobile computing, and Larry shared a thought that stuck with me: "The interesting problems are never about the technology itself, but about how it changes the entire ecosystem." DORA is a perfect embodiment of this principle. While many might view it as just another compliance requirement, I see it as a fundamental shift in how we build and maintain financial sector security. The problem today is no longer about isolated threats, but about interconnected risks across a broader ecosystem. Much like how Android changed the mobile landscape, DORA has the potential to reshape financial security in profound ways.

The Changing Landscape of Cybersecurity in Finance

At Palo Alto Networks, we see thousands of cyberattacks daily, targeting financial institutions at an alarming rate. The International Monetary Fund (IMF) estimates that the direct costs of cyber incidents in the financial sector have totaled $12 billion over the past two decades, but this likely underestimates the true extent of the issue. Most cyberattacks go unreported, and the broader economic impact—including lost productivity, reputational damage, and regulatory fines—can be exponentially higher. In 2024, attacks on European financial institutions doubled, highlighting just how quickly threats are escalating. This is not just linear growth—it's exponential. Cybercriminals are becoming more sophisticated, more targeted, and, in many cases, more damaging. Traditional, linear approaches to cybersecurity are no longer sufficient.

I recall my early years at Deutsche Telekom, where I witnessed the dangers of individual, siloed defenses. Organizations focused on securing their own systems while ignoring the broader ecosystem. This approach no longer works. In today’s interconnected world, security must be an ecosystem-wide challenge—one that requires collaboration, continuous adaptation, and a shift from reactive to proactive measures. DORA embodies this philosophy by establishing a framework that demands resilience not just from individual organizations, but from the entire financial ecosystem. The true value of DORA lies in encouraging a collective approach to building security—one that elevates the entire sector.

The Hidden Strategic Opportunity in DORA

Looking back at my experiences leading major digital transformations—at Google, SoftBank, and now at Palo Alto Networks—I see three strategic opportunities that many organizations are overlooking when it comes to DORA.

1. Forced Innovation Acceleration

When I was at Google, we faced regulatory challenges that could have stifled innovation. But instead, these challenges acted as catalysts, forcing us to rethink our approaches and accelerate our innovations. DORA will do the same for financial security. The firms that view DORA as a challenge to drive innovation—rather than just a burden to comply with—will emerge as leaders. The changes DORA requires will push financial institutions to adopt new security technologies, integrate advanced analytics, and rethink their cybersecurity frameworks. Those that see compliance as a strategic advantage will ultimately be the winners.

2. Ecosystem Value Creation

At SoftBank, I learned that real value emerges at the intersections of different sectors. DORA, by creating a standardized security framework, opens opportunities for financial institutions to collaborate in ways that will create products and services we have yet to imagine. It’s not just about fulfilling a set of security requirements—it's about fostering a shared ecosystem where innovation can thrive. DORA lays the groundwork for developing new, security-first financial products, creating tremendous value for both institutions and customers alike.

3. Competitive Advantage Through Security

The cost of DORA compliance is significant. McKinsey estimates that it could cost between €5-15 million for the initial setup. However, focusing solely on the cost of compliance misses the point. The real opportunity lies in using DORA as a springboard to build next-generation security capabilities that offer a competitive advantage. By embracing DORA early, financial institutions can position themselves as leaders in the security space, earning the trust of customers and investors. Security is no longer merely a technical requirement—it is a strategic asset that can differentiate an organization in a crowded marketplace.

What Many Get Wrong About DORA

As organizations grapple with DORA’s implementation, there are several misconceptions that could lead to costly mistakes. Let me address three of the most common missteps.

1. The Skills Gap Misconception

Many are focused on the cybersecurity talent shortage. While there is a scarcity of skilled professionals, this isn't the key issue. At Palo Alto Networks, we’ve learned that the real challenge is not simply finding talent—it’s building it. Organizations must focus on developing their internal talent, investing in training programs, and fostering a culture of continuous learning. Relying solely on external hires will never be enough. To truly build resilience, institutions must invest in their people and create an internal pipeline of security experts.

2. The Cost Structure Fallacy

There’s been a lot of attention on the cost of implementing DORA’s requirements. While the financial outlay is significant, it’s important to understand that the true cost of non-compliance or inadequate security is far greater. The real cost isn’t in the implementation—it’s in the missed opportunity to transform your security posture. Institutions that view DORA as a one-time project with a fixed deadline will be missing the point. Security transformation is a continuous journey, not a box to check.

3. The Implementation Timeline Trap

Many organizations view DORA as a linear project with a fixed deadline—January 17, 2025. But this kind of thinking is dangerous. Security transformation is not a one-off project; it’s a continuous process that requires ongoing adaptation. The timeline is not defined by a regulatory deadline but by the evolving threat landscape. Organizations must view DORA as a continuous, adaptive process and invest in building systems that can evolve in real-time.

The Future of Financial Sector Security Post-DORA

With DORA now in effect, I anticipate several key trends emerging over the next five years.

1. Consolidation Wave

In the next 24 months, I expect to see a wave of consolidation within European financial services. Smaller institutions that are unable to build robust security capabilities will likely be acquired by larger players. DORA has raised the bar for security standards, and only those who can meet these requirements will thrive.

2. The Evolution of Security-as-a-Service

Over the next 36 months, we will see the rise of security service providers specifically designed to help financial institutions achieve DORA compliance. This will transform how institutions approach security operations. Security-as-a-service will become the norm, providing flexible, scalable solutions to meet evolving needs.

3. DORA as a Global Standard

Just as GDPR has become the global standard for privacy, DORA is likely to have significant influence on global financial sector cybersecurity practices. While it may not become the de facto global standard immediately, its impact will drive convergence across security regulations, especially as financial institutions around the world begin to adopt best practices from DORA.

What Leaders Need to Do Now

As a leader, I offer the following advice to those guiding their organizations through the challenges and opportunities of DORA:

1. Think Platform, Not Project

DORA is not just a compliance project—it’s an opportunity to build a platform for long-term security resilience. Institutions must invest in building adaptive, integrated systems that can evolve with the threats of the future.

2. Invest in Intelligence

At Google, we learned that data beats opinions. Financial institutions must invest in building security intelligence capabilities that can inform and strengthen their overall security posture. This includes leveraging technologies like machine learning and predictive analytics to anticipate and mitigate risks before they happen.

3. Build Ecosystem Partnerships

No financial institution can build all the necessary security capabilities internally. The future of cybersecurity will be collaborative. Financial institutions should start building their ecosystem of trusted security partners now and work together to create shared responsibility for resilience.

Conclusion

DORA is no longer just a regulatory requirement—it is a fundamental shift in how the financial sector must approach cybersecurity and operational resilience. As of January 17, 2025, organizations must not only comply with DORA but leverage its framework to transform their operations, innovate with new products, and build long-term, adaptive security capabilities. Institutions that view DORA as a burden will find themselves vulnerable in an era where security is no longer just a technical concern but a core business function.

The winners in this new era will not necessarily be the largest institutions or those with the biggest budgets. They will be the organizations that embrace DORA’s principles, adapt to the evolving threat landscape, and build resilient, ecosystem-wide security solutions. DORA is the dawn of a new era in financial security, and it’s up to leaders to decide whether they will use this opportunity to transform or merely comply. The deadline has passed, but the true journey of transformation begins now.

Stay Safe, Stay Secure.

Arora Avatar