Most European Financial Firms Still Lagging on DORA Compliance – Source: www.infosecurity-magazine.com

Most European financial services organizations are still not meeting requirements set out in the EU’s Digital Operational Resilience Act (DORA), six months after the law came into effect.

This is according to research by Veeam, which found that 96% of financial companies it surveyed in this region believe their current level of data resilience falls short of DORA compliance.

Financial services firms also reported facing significant unforeseen challenges around DORA compliance. Nearly half (41%) said their IT and security teams have faced increased stress and pressure as a result of the regulation, while 37% are dealing with higher costs passed on by ICT vendors.

In addition, 20% have yet to secure the necessary budget to meet DORA requirements.

Over a fifth (22%) of respondents felt that DORA’s design could have been improved to assist compliance, such as improved simplification, clarification and more detailed third-party risk guidance.

DORA officially entered into force on January 17, 2025. The legislation places new cyber resilience requirements on financial services organizations, including banks, insurance and investment companies. Third-party IT providers within the financial industry are also in scope.

While DORA is an EU law, it also applies to many global organizations that operate in the region.

Regulators have the power to impose huge penalties for non-compliance, up to 2% of global annual turnover or €10m ($11.6m), whichever is higher.

Third-party organizations may also face fines of up to 1% of their average daily global turnover for each day of non-compliance, for up to six months.

Read now: DORA Compliance Costs Soar Past €1m for Many UK and EU Businesses

Third-Party Risk Management the Biggest Challenge

Third-party risk oversight was viewed as the hardest DORA requirement to implement, cited by 34% of respondents. This is likely as a result of the vast number of third-party networks used in the financial services industry.

A fifth (20%) said they still have not implemented DORA-compliant third-party risk oversight.

Many organizations reported still being in the process of implementing other key DORA requirements, including:

• Recovery and continuity testing (24%)
• Incident reporting processes (24%)
• Appointing a DORA implementation lead (24%)
• Digital operational resilience testing (23%)
• Backup integrity and secure data recovery (21%)

DORA Now a Top Organizational Priority

The study, published on July 17, found that 94% of organizations now rank DORA compliance higher in their organizational priorities than they did in the month before the rules came into effect.

Additionally, 40% described DORA as a “top digital resilience priority,” while half said that requirements have been integrated into their broader resilience programs.

Andre Troskie, Field CISO EMEA at Veeam, commented: “Of course, meeting the requirements is key, but DORA was also about getting organizations to assess their resilience holistically – and in that aspect, it seems to be succeeding.”

The Veeam study surveyed 404 senior IT decision makers or heads of compliance at financial service companies with over 500 employees across the UK, France, Germany and the Netherlands.