The EU Digital Operational Resilience Act (applicable from January 2025) requires financial entities — banks, insurers, investment firms, and their critical ICT third-party providers — to demonstrate robust ICT risk management, incident reporting, and operational resilience testing, with binding technical standards that include access management, network segmentation, and continuous threat monitoring. DORA's ICT risk framework aligns directly with Zero Trust architecture: identity-based access controls, encrypted data flows, and continuous monitoring of third-party ICT provider access satisfy the key technical requirements that EBA, EIOPA, and ESMA will assess during supervisory examinations.
DORA