How financial services can use compliance to drive operational resilience

Understanding the business pros and cons of regulatory mandates

 

The European Commission has begun to signal a more business-friendly approach to regulation over the past year. But don’t be fooled. While the mood music is one of boosting competitiveness and reducing red tape, when it comes to cyber-related regulation like DORA, NIS2 and the EU AI Act, financial services firms are still under extreme pressure.

 

At a recent C-suite Exchange hosted by HotTopics in partnership with Zscaler, industry CISOs and CIOs debated the pros and cons of key compliance mandates. And how IT leaders can keep both the business and regulators happy while driving true operational resilience.

 

A new regulatory era

The latest resilience-focused regulations like DORA and NIS2 are very different from the highly prescriptive check-box approach of, say, PCI DSS. But that’s not necessarily a bad thing, argued James Tucker, Head of CISO EMEA at Zscaler. 

 

“What the [new regulations] are actually doing is trying to drive outcomes – or herd immunity – and I think they very much recognise the interconnectedness of all of the digital systems that we have,” he said. 

 

In this context, organisations that approach these new mandates with a box-ticking approach are less likely to achieve the right outcomes than those that genuinely try to build organisation-wide resilience. 

 

“They just put things into the same old processes and do the work, but I don't think they get the benefits,” Tucker continued. “Other organisations are trying instead to follow the spirit of the law and are not afraid to say, ‘look, we can't check this box yet in good faith, but we're working on it, and here's the plan.’”

 

Regulators make life tough 

Tucker’s colleague, Olivier Daloy, CISO-in-Residence at Zscaler, had a more nuanced take. He argued that regulators are taking different approaches, which makes life difficult for financial services security leaders.

 

“Some regulations make it clear ‘this is the real minimum; if you don't follow this, you're clearly not following the law’. And some set an objective and hesitate a little bit between a minimum and a target,” he said. “To find the rules, you might have to read the full document, which could be 85 pages long. And even if you follow it, you may not understand the rules; what they really expect from you.”

 

Another attendee at the virtual event argued that regulators sometimes seem to be introducing new rules through “trial and error” – adding that many financial institutions aren’t equipped to meet their ambition. 

 

“Many financial institutions are trying to meet forward-looking resilience standards, but with backward-looking architecture,” he said. “In a way we're trying to upskill, and be compliant with legacy infrastructure, but it's a very different board game from a security standpoint.” 

 

The challenge is compounded by multiple local regulations at a member state level, which adds complexity and strains resources, added another security leader. 

 

Given these challenges, it’s perhaps not surprising that research from 2025 found that 96% of EMEA financial services organisations feel DORA compliance is still a work in progress.

 

When regulation challenges business growth

A bigger issue is that regulatory compliance itself can be a barrier to business growth. Zscaler’s Tucker argued that it’s “not a good career move” to be the CISO who tries to interfere with the “money machine”. 

 

“When they do their delineation for various compliance schemes, they find a way to put this outside of the compliant environment,” he said of many organisations in the sector. 

 

Several attendees agreed, including one that claimed regulation could create “competitive disadvantage” for his company if not handled correctly.

 

“One of the challenges I see with regulation moving more from a recommendation to a really strict law is balance,” he said. “In the end we have two choices: comply to the highest standard, which can create a risk of lagging behind, or take a more measured approach.”
Another shared similar views. “If you try and follow the letter of the law, it's a very quick exit route [for a CISO], because the money-making machine has to continue, and you have to have to balance it,” he admitted.

 

The right balance can be a challenge to achieve, because regulators often speak a different language to the companies they’re regulating, said one security leader. “We have best practices, and we have standardised processes. The key is how we translate those into fulfilling the sense of the regulation,” he explained. “That's certainly an area that I typically find tricky when communicating or defending a company's position to an auditor or regulator.”

 

Regulation can also be a business enabler 

Not all security and IT leaders at the event were as hostile to European regulators. One suggested that the likes of DORA and NIS2 emerged after several “crises and crashes”, when the authorities realised they’d effectively been lied to by financial services organisations. In fact, the IMF has previously warned that the financial sector lost $12bn (£9bn) to cyber incidents in the two decades to 2024, with “extreme losses” more than quadrupling. This represents not just a threat to individual organisations but a systemic risk to the sector, it argued.

 

“The regulators’ job is not to punish institutions. It's to protect the consumers we're supposed to be serving,” the attendee suggested. “Speaking from our own implementation experience, [regulatory compliance] requires us to holistically connect end-to-end risk impacts testing communication ownership, and that can only be a good thing.”

 

The expectation of these regulations is not to solve all problems, or to impact business growth, he continued. “It means that we have the right safety net and awareness around [the business]. We don't just make it a technology problem, which in many cases it was in the past.”

 

Another attendee at a large global bank agreed that DORA is on balance an important piece of legislation given the financial sector’s huge supply-chain risk exposure. “We have 200,000 employees. Can you imagine the number of vendors that we're actually using?” he said. “We're obviously really concerned about the third-party, fourth-party and fifth-party risk down the supply chain.” 

 

How to build true cyber and operational resilience 

Zscaler’s Daloy argued that the best way to sell regulatory compliance to the business is to build “layer by layer”, starting with the areas that are “absolutely key”.

 

“There is a need to connect the regulation to the risks of the company, meaning to the GRC that the company has implemented,” he said. “Make sure that when you come to your execs, you don't only tell them, ‘this is the regulation’, but that, ‘although it is a regulation, the good thing is it matches what our risks are, and what really matters for business’.”

 

By taking this approach, financial services organisations can “start small and grow fast”, instead of trying to tackle an unwieldy regulatory document that has been “written by lawyers that may not have enough cybersecurity experience”, he added.
Another attendee explained that they sell compliance to the board by trying to “creatively tag on” to initiatives with obvious business value. “It does not have to be a shattering change, but something minor which progressively improves your product or your service offering. That can be really beneficial,” he suggested.

 

Building resilience in a post-Mythos world

Zscaler’s Tucker said he was concerned about the potential impact of powerful AI models on cyber resilience. Anthropic and others are warning that they will collapse time to exploitation by giving threat actors a potentially crucial advantage in vulnerability research. However, the real risk could be to the supply chain, Tucker argued.

 

“Let's assume a future where the offensive AIs are very good and publicly available, and that means we have to have our defensive AIs within our bank. And is this in the next six months? No, this is two, three years out, probably. But AI will be able to scale based on how much money you put into it,” he continued.

 

“They're not going to go up against you, because you have a bigger, better, faster AI detecting and fixing that. But your third parties that deliver a valuable service are going to be the way to get in.”

 

The answer is to minimise the attack surface and deploy “real, true zero trust”, he concluded. “Attack surface reduction and modern defensible architecture internally, are the best things we can do right now for all of that.” 

 

For further resources on this topic:

  1. Europe’s digital sovereignty push: Are your tech choices keeping pace?     

  2. How to protect against vulnerabilities found by Claude Mythos

  3. Transforming financial services: Modernise to secure, simplify and comply with confidence

 

 

In partnership with
Mask group-2

SUBMIT A COMMENT

We love getting input from our communities, please feel free to share your thoughts on this article. Simply leave a comment below and one of our moderators will review
Mask group

RELATED ARTICLES

Food for Thought
CISO |

How financial services can use compliance to drive operational resilience

04 Jun 2026

Read More
CDO - Data AI
CISO |

Trust as infrastructure: Securing collaboration in the AI era

01 Jun 2026

Read More
Data AI

Agentic AI in the enterprise: Why leaders are rethinking trust and execution

27 May 2026

Read More
Cybersecurity AI Finance

Beyond the breach: Zero Trust as the engine for financial resilience

18 May 2026

Read More
Leadership
CMO | CMO Strategies |

Signals and stories: A stoic’s guide to the CMO seat

15 May 2026

Read More

Join the community

To join the HotTopics Community and gain access to our exclusive content, events and networking opportunities simply fill in the form below.
Mask group