Recent attacks on energy grids, undersea cables and transport hubs show how warfare now combines sabotage and cyber‑attacks. Drones are being used for espionage, ideologically motivated insiders can damage both operations and data and executives face coordinated physical attacks and online harassment. The OSCE notes that wars are fought “with keyboards and sabotage” and critical infrastructure – from power plants to data centres and satellites – is under constant pressure.
Into this environment steps the EU’s Digital Operational Resilience Act (DORA). Effective from 17 January 2025, DORA harmonises digital resilience rules for nearly every financial entity and their ICT providers. It obliges organisations to implement integrated ICT risk management, report significant incidents, regularly test their resilience and manage third‑party risk.
What does this mean for security professionals?
- Shared governance: DORA mandates board‑level oversight of ICT risk. Physical‑security and cyber‑security leaders must collaborate, not compete.
- Integrated risk assessments: Model how physical breaches (e.g., sabotage, power failures) could trigger cyber incidents, and vice versa.
- Coordinated incident response: Plans should address scenarios where a single event has both physical and digital impacts.
- Third‑party oversight: Contracts with facilities managers, cloud providers and other service partners must include resilience and security clauses.
- Resilience testing: Threat‑led penetration tests and crisis exercises should include physical elements such as simulated facility outages.
The bottom line: operational resilience is now a holistic discipline. Modern threats don’t respect organisational silos, and neither should our defences. By uniting physical and cyber security, embracing regulations like DORA and investing in cross‑functional resilience, European businesses can reduce risks, protect their people and assets, and build trust with clients and regulators.
Crisis Capable 
Leave a comment