Regulations: the building blocks for the resilience needed tomorrow

It may seem that you’re barely catching your breath from the last big data security regulation to come in, and then there’s a new one on the horizon. But this isn’t such a bad thing: it keeps us on our toes. And that’s exactly where we need to be – now more than ever.

Reframing regulations

Regulations are set by governing bodies to protect citizens, but in following the guidelines to ensure compliance, you’re also protecting your own network. And the rise in regulations reflects our environment: one where there is no network perimeter, where people are working everywhere, and where data must be accessible. Our approach to resilience needs to evolve to match this environment, with data security needing to be proactive, preemptive, and constant. It needs to be watching inside the business enterprise network, and beyond. Because cyber criminals are innovating just as fast as we are, but without the restrictions. And our own innovations are exposing new weak spots as we scramble to negotiate with new applications of AI, automation, predictive analytics and more.

DORA for the finance sector

Nowhere do we need to be more vigilant than in the finance sector, which has seen the introduction of a new regulation, the Digital Operational Resilience Act (or DORA, as you likely know it). DORA applies to financial entities and the IT firms that serve them, operating in or from the EU. It came into effect in January 2025 to reduce the ICT-related risks that could threaten Europe’s financial system stability.

Like it or not, regulations like DORA are needed, with 78% of EU financial institutions covered by DORA having experienced a third-party breach in the space of a year (to June 2023).

There are other regulations like this coming into effect across the globe, from the 23 NYCRR Part 500 for businesses registered in New York to Japan’s Economic Security Promotion Act, and many more across the UK, Canada and Australia.

Success depends on achieving long-term resilience

Whether DORA applies to you or not, the plea is clear: act now, not when it’s too late. Those IT leaders who shape their infrastructure around long-term resilience can stand tall against AI-generated threats, malware, social engineering, ransomware, and supply chain attacks – all of which are on the rise.

Though the risk landscape is hugely dynamic, and as AI-driven cyber security is hailed as 'the next big thing', it can be easy to overlook the fundamental building blocks for robust data security. Here are our best practices to help you stay on point:  

• Risk assessment – start here to detect any weak spots or potential risk areas. And even if you’ve done one before, do it again. And again. As your business evolves, your risk potential will too.
• What needs protection? Consider the areas you need to focus on; it could be access control, data security, or information protection. Highly vulnerable data or systems can be air-gapped – keeping them physically separate from external networks and the internet – making it impossible for a remote attack.
• How do you detect an attack or threat? Whether it’s your systems slowing down or a high level of activity from an unusual country, as long as your data’s in order, the right monitoring system will easily detect if anything moves or changes. Malware detection and penetration testing are all still important, but going forward, also consider security systems that are AI-ready as we see industry innovation accelerating in that direction.
• How will you respond to red flags? Can you quickly protect the wider data infrastructure from compromised systems or data? What solutions or procedures are in place, and do they have the capabilities to stand up in the current threat landscape?
• What’s your recovery process? How long until you can get systems back online? Set your standard and make sure you can meet it. At Hitachi Vantara, we have an 11-hour back online promise for our customers. Also, consider where your backups will be; offsite backups are crucial to protecting against physical and environmental threats. And you need to look at how often you back data up – consider updates every 20 or 30 minutes to lessen the business impact from an attack.
• How will you test and monitor? Attack yourself before anyone else can. At Hitachi Vantara, we offer customers a digital twin environment; a virtual world where you can essentially attack your environment, test scenarios, and trial solutions. Monitoring must be continuous, as must this entire checklist.

Through a continuous cycle of assessment through to testing and monitoring, you’ll always be a step ahead of the criminals (and even accidental missteps). Being proactive is the key so you always stay abreast of your changing landscape.

In our newsletter, we cover more insightful topics; from Zero Trust policies through to unlocking sustainability in an AI world. I hope you enjoy.

For more on how you can accelerate and simplify your DORA compliance journey see this eBook.