Despite having two years to prepare, many UK financial services organizations are still lagging behind in meeting the January 17, 2025, deadline for compliance with the EU’s Digital Operational Resilience Act (DORA). A recent Censuswide survey by Orange Cyberdefense shows that 43% of these organizations are still in the early stages of exploring DORA and won’t be ready for at least another three months, putting them at risk for hefty regulatory fines.
The survey included 200 chief information security officers and cyber decision-makers, and the majority believe DORA will be a game changer for resilience across the EU’s financial landscape. However, they face several hurdles. Many cite issues like insufficient prioritization within their organizations (28%), tight timelines for compliance (25%), a lack of necessary skills (24%), and poor visibility into their supply chains (23%). To address these challenges, 97% of respondents are looking into bringing in external help.
Interestingly, 84% say they have enough budget to meet compliance requirements, and a study from Rubrik Zero Labs reveals that 47% of UK financial services firms have already invested over €1 million in compliance efforts.
It’s worth noting that DORA doesn’t require groundbreaking changes. Many of the necessary adjustments can be tackled through thorough cyber risk assessments, integrated incident reporting, resilience testing, and stronger governance frameworks. Richard Lindsay from Orange Cyberdefense emphasizes that the regulatory environment is complex, filled with overlapping standards that can complicate compliance.
If firms remain non-compliant, they face serious consequences, including fines of up to 2% of their global annual turnover and potential individual penalties exceeding €1 million for senior leaders. Lindsay warns that the threat landscape is increasingly dangerous, with the financial sector attracting more cybercriminal attention than ever. By implementing the necessary changes, companies can avoid penalties and enhance their defenses against cyber threats.
DORA aims to bolster cyber security across financial services in Europe. It sets consistent operational resilience rules for 20 types of financial entities, such as banks, insurance firms, and tech suppliers. Brussels sees this regulation as essential, given the industry’s heavy reliance on IT, which makes it vulnerable to cyber disruptions that could impact the broader economy.
Key aspects of DORA include IT risk management, third-party risk oversight, operational resilience testing, cyber incident reporting, and information sharing. Mitun Zavery from Sonatype cautions that waiting until the last minute for compliance can lead to problems, reminiscent of the GDPR experience. UK firms with European customers must pay attention to DORA, as non-compliance could result in partners seeking compliant alternatives.
He encourages UK organizations to view DORA not just as a hurdle but as a chance to enhance their systems through automation and a proactive approach to risk and vulnerability management. If DORA turns out to be similar to GDPR, prioritizing compliance now can create opportunities as similar standards take root in the UK.