As the cyber threat landscape evolves and the digital landscape changes, regulatory frameworks continue to emerge, aiming to bolster the security posture of organisations, particularly in the financial sector. One such regulation is the Digital Operational Resilience Act (DORA), effective since January 2025, which sets stringent security requirements for financial entities operating within the European Union. In this blog post, we will explore the key aspects of DORA and how Sekoia.io assists organisations in achieving compliance, particularly through robust cyber threat intelligence for crisis exercises and cyberattack simulations.

Introducing DORA, TIBER and friends

The European DORA regulation (read the official text) adopted at the end of 2022 and effective from January 2025, aims to ensure that nearly all financial sector entities (including banks and insurers, administrators of critical benchmarks, service providers and crypto-asset issuers – over 22,000 entities accross the EU) put in place the necessary safeguards to mitigate risks linked to cyberattacks.

DORA will also require all firms to:

1. implement measures to protect against all types of threat and disruption linked to information and communication technologies (ICT)
2. put in place a system for managing, classifying and reporting ICT-related incidents
3. in the case of systemic entities, regularly conduct advanced tests on ICT tools, systems and processes using threat-led penetration testing (or red teaming)

In addition, DORA introduces a framework for the direct oversight by financial supervisors of critical service providers, including cloud service providers.

One essential aspect of DORA compliance is the performance of cyberattack simulations and penetration testing. The DORA regulation requires among others a Threat Lead Penetration Testing (TLPT) framework, in accordance with TIBER-EU. TIBER (Threat Intelligence-Based Ethical Red Teaming) is a common, EU-wide framework that delivers a controlled, bespoke, intelligence-led red team test of financial entities’ critical live production systems.

It allows the tested entities to understand their real-world resilience by stressing all elements of their business against the tactics, techniques and procedures (TTPs) of threat actors specific to their organisation. By simulating real-world attack scenarios, organisations can evaluate their response capabilities, refine their incident response plans, and ultimately enhance their operational resilience.

How Sekoia.io can support your DORA compliance journey

At Sekoia.io, we understand the multifaceted challenges organisations face in navigating DORA compliance while addressing real-world threats. Our extensive experience in cyber threat intelligence empowers organisations to not only meet regulatory expectations but also adapt proactively to the evolving threat landscape. Let’s break it down.

Resilience testing: actionable cyber threat intelligence

The power of the SOC Platform also comes from its exclusive threat intelligence, delivered by Sekoia Threat Detection & Research (TDR), commonly known as the TDR team. Created in 2020, Sekoia TDR is one of the largest teams in Europe and is a partner of Europol EC3 for the fight against cybercrime, and of FS-ISAC regarding the financial sector specifically. Discover more about Sekoia TDR here.

Covering both state-sponsored and cybercrime threats, our CTI includes freshly contextualised Indicators of Compromise (IOCs) and high-quality threat reports for decision makers- thereby providing a comprehensive perspective from the strategic to the technical level. In addition, detection engineering aims to developing and maintaining high-quality detection rules, focusing on the tactics, techniques, and procedures (TTPs) most exploited by adversaries.

Our research on the financial sector, as detailed in the 2023 report by Sekoia TDR Unmasking the Latest Trends of the Financial Cyber Threat Landscape, highlights emerging cyber threats specifically relevant to financial institutions including sector-specific lucrative intrusion sets, banking malware and other trends in terms of tactics (TTPs) used by new threat patterns. Read the full report here.

This long expertise in cyber threat intelligence enables Sekoia.io to provide organisations with critical insights into the evolving threats impacting the financial sector. This intelligence helps organisations understand vulnerabilities and trends within the sector, enabling more informed risk assessments and proactive strategies. More especially, it allows organizations to conduct TLPT penetration tests based on relevant identified threats- thereby facilitating compliance with DORA, which made these tests mandatory for certain critical financial entities.

CTI in practice: from strategic view to technical data

Sekoia Intelligence provides the insights and operational data you need for penetration tests. But what does it look like in practice? How can CTI be concretely leveraged in the platform for cyber exercises?

Let us take as example the well-known North Korean intrusion set Lazarus, particularly relevant for the financial sector with regard to its lucrative operations against banking institutions, crypto and decentralised finance (DeFI) services.

In the following 7 steps deep-dive we illustrate how a TLPT can decide to simulate specific actions or attack patterns, to be aligned with a recent campaign willing to be tested by the stakeholders:

1) Location: Get the context on the nation or area from where a certain attack originates.

2) Threat actors: Identify the key groups or organizations active in the identified location.

3) Intrusion set: Have an overview of the cluster of related intrusion activities sharing common tactics and tools.

4) Campaign: Understand the coordinated sequence of attacks carried out to achieve the objective.

5) Infrastructure: Break down the servers, domains and network assets used to launch or control the attack.

6) Malware: Examine the malicious software or code deployed to compromise or exploit systems.

7) Indicator of compromise (IoC): Retrieve the traceable artifacts (IP address, file hash, URL, etc.) that signals a security breach.

In summary, our continuous research into specific cyber threats includes analysing intrusion sets and attack patterns relevant to the financial sector. This intelligence is essential for risk assessments and for replicating specific attack scenarios during simulations, ensuring that organisations are prepared for potential threats. Technical data on relevant malware and IoCs is designed to be leveraged for Thread-Let Penetration Tests.

Protecting, tracking and reporting: extended supervision and response

In addition to threat analysis and resilience testing, DORA requires financial entities and ICT service providers to implement robust mechanisms for detecting, responding to, and recovering from cybersecurity incidents on an ongoing basis.

Regarding detection (Article 10), this includes continuously monitoring networks, systems, and applications to identify suspicious or malicious activities. But also centralized collection, storage, and analysis of logs from various sources to detect security incidents. This involves the use of security information and event management (SIEM, SOC platforms) systems to correlate and analyze log data.

This is where Sekoia AI-SOC Platform comes into play, by leveraging exclusive CTI and AI to not only detect threats on an extended perimeter, but also to provide automated response when relevant. With regard to DORA, the solution:

• Supports risk assessment – providing efficient KPIs (MTTD, MTTR) to CISOs and SOC managers
• Contributes to digital resilience and better ICT risk management over the entire information system
• Facilitates reporting of ICT-related incidents to authorities with ad hoc playbooks producing standardized reports
• Makes CTI information sharing easy thanks to kill chain, ATT&CK and STIX modelization

Sekoia.io and the resilience of your supply chain

DORA emphasises the importance of having reliable and responsible providers. As a crucial part of your supply chain, we pledge to deliver the most robust and secure service available.

• State-of-the-art security : Sekoia.io follows robust and industry-standard security guidelines to implement security in its product, in its infrastructure and in its organisation.
• Certified hosting : All our platform instances are hosted by best-in-class providers. The solution can benefit from ISO27001, PCI-DSS, SOC2:Type2 certified hosting, or even SecNumCloud qualified hosting granted by French cybersecurity agency ANSSI, widely recognized as one of the strictest standards across Europe.
• External auditing: Our product is pentested annually by leading auditors and tested for vulnerabilities on a continuous basis.
• Internal monitoring: Sekoia.io is used to monitor all Sekoia.io activities and has its own CERT, which is a recognized member of InterCERT.
• Continuous compliance program: Sekoia.io provides a dedicated and PCI-DSS-certified product for banking customers. Our ISMS has been certified ISO27001 in 2025 and we expect next to achieve SOC2.

Conclusion: Supporting compliance and beyond

DORA represents a significant shift in how financial institutions must approach cybersecurity. Navigating the complexities of DORA compliance can be overwhelming, but with Sekoia.io as a partner, organisations can establish a robust framework that not only meets regulatory expectations but also enhances their overall cybersecurity posture. Our comprehensive suite of services contributes to a proactive approach to operational resilience, preparing you for an array of cyber threats.

For further insights on how we address cybersecurity compliance in the context of other regulations, be sure to check out our blog post on navigating the NIS2 directive here and deep-dive into the cyber trends impacting the financial sector by reading our 2023 report here.

Share this post: