Although they have had two years to prepare for the incoming legislation, a study has today revealed that a significant minority of UK financial services organizations are set to miss the 17 January 2025 deadline to comply with the European Union's (EU's) Digital Operational Resilience Act (DORA).
According to the Censuswide survey commissioned by Orange Cyberdefense43% of British financial services organizations say they are still exploring DORA and will not be compliant for another three months at least, putting them at significant risk of regulatory fines.
The 200 UK chief information security officers and cyber decision-makers polled on Orange's behalf overwhelmingly believed DORA would be beneficial and would significantly enhance overall resilience across the EU and its wider ecosystem.
Yet barriers to compliance persist, with respondents to the survey describing a plethora of issues – most of them relating to their own organization rather than the DORA legislation. Orange found these issues include a lack of prioritization in the wider organization (28%), a short timeline to becoming compliant (25%), a lack of specific skills and knowledge (24%), and a lack of visibility into supply chains and third-party partners (23%). To overcome these, 97% said they were considering enlisting external support.
Some 84% said they had been given enough or more than enough budget to become compliant, and a parallel study from Rubrik Zero Labs today reported that about 47% of UK financial services organizations had spent over €1m (£842,000) on compliance measures.
DORA doesn't mandate anything by way of revolutionary requirements. Most can be addressed by investing in comprehensive cyber risk assessments, integrated incident reporting, cyber resilience testing and cross-framework governance.
Richard Lindsay, Orange Cyberdefense
“The regulatory landscape in the EU is heavily congested, with several overlapping standards and laws now in effect. There is a lot to navigate, and we're increasingly seeing businesses taking a more reactive approach to compliance requirements once the threat of reprisals becomes tangible,” said Richard Lindsay, principal advisory consultant at Orange Cyberdefense.
“However, remaining non-compliant could have severe ramifications, with fines of up to 2% of global annual turnover and the potential of fines of over €1m for individual senior leadership.
“The threat landscape has never been more volatile. The financial services industry is an attractive target for bad actors, and the likelihood of breach has never been higher. By implementing the required changes, businesses can avoid unwelcome fines and negative publicity and, most importantly, build resilience against digital threats,” Lindsay added.
“DORA doesn't mandate anything by way of revolutionary requirements. Most can be addressed by investing in comprehensive cyber risk assessments, integrated incident reporting, cyber resilience testing and cross-framework governance. But, as is always the case in cyber security, the clock is ticking.”
Orange additionally noted that given the formal introduction of DORA comes just three months after the EU stood up the Network and Information Systems Directive 2 (NIS2) in October 2024, the need to address broader cyber compliance demands and overlapping requirements in both sets of regulations may explain why the majority of respondents are feeling positive about DORA, despite anticipating delays in achieving compliance.
What is DORA?
At its core, DORA aims to strengthen cyber security at financial services organizations and improve sector resilience across Europe. It harmonizes operational resilience rules that apply to 20 different types of financial entities, such as banks, insurance companies and third-party tech suppliers.
According to Brussels, regulation such as DORA has become necessary because the financial services industry's dependence on IT and the tech ecosystem makes it acutely vulnerable to cyber disruption, and if not managed properly this can spill over into the wider economy.
DORA governs a number of areas, such as IT risk management frameworks, third-party risk monitoring and oversight of suppliers, operational resilience testing, cyber incident reporting, and information and intelligence sharing.
Sonatype's vice-president of solution architecture, Mitun Zavery, said: “If gdpr taught us anything, it was that last-minute compliance efforts lead to headaches and half-measures. Like many EU laws, UK companies may be pulled into scope as the act extends beyond European financial institutions and deep into their software supply chains.
“This is a big problem for UK businesses whose European customers fall under the regulation's purview. The stern financial penalties for non-compliance are enough motivation for EU financial institutions to tell partners, 'If you aren't compliant, we need someone who is'.
He added: “Rather than a burden, UK organizations should see DORA as an opportunity to streamline systems and processes by leveraging automation, reinforcing their software supply chains, and adopting a proactive approach to risk mitigation and vulnerability management. If DORA becomes like GDPR, then prioritizing compliance will now open doors as forms of this standard are adopted in the UK.”
