New research from Orange Cyberdefense reveals that 43% of the UK financial services industry will miss the Digital Operational Resilience Act (DORA) deadline when the European Union’s (EU) latest regulation takes effect on January 17th. The risk for the 43% is significant given the financial fines that can be levied for non-compliance with DORA of up to 1% of worldwide daily turnover for as long as six months.
A Censuswide survey of 200 UK CISOs and senior security decision-makers, commissioned by Orange Cyberdefense, reveals that the majority of senior security professionals see the value in the EU’s efforts to strengthen the financial sector's resilience against digital threats. Nearly 9 in 10 (88%) believe that DORA will be beneficial, and even more (96%) say it will significantly enhance overall resilience across the EU and the EU business ecosystem.
Barriers to DORA compliance
Despite this positive sentiment, several barriers to compliance persist. The challenges described by security professionals are varied, emphasising these barriers are organisation-specific, rather than broader issues with the compliance process. These include a lack of prioritisation from the wider organisation (28%), a short timeline to becoming compliant (25%), a lack of skills/knowledge (24%), and a lack of visibility over supply chain/third-party partners (23%). To overcome these challenges, the vast majority (97%) of respondents either employ (78%) or plan to employ (19%) external support to help their business become compliant with DORA.
It’s noteworthy that DORA comes hot on the heels of another significant EU regulation, the Network and Information Systems Directive 2 (NIS2), which took effect on October 17th 2024. The persistent need to address broader compliance demands and the overlapping nature of requirements might explain why the vast majority of respondents rated the preparedness of their organisation so highly – 92% were feeling either very positive or somewhat positive about their organisation’s preparedness ahead of the DORA deadline this month. Despite this, a staggering 43% of respondents are due to miss the deadline, and 20% expect to do so by at least four months.
Compliance budgets
Typically, budgetary constraints have been a significant hurdle for cybersecurity teams to overcome. However, 84% of respondents felt that their organisation had made more than enough budget available to become compliant with DORA. This marks a departure from the norm, with limited budgets and the turbulent economic situation often cited as problematic by senior cybersecurity professionals.
To meet compliance requirements, 78% of respondents reallocated the budget from other business areas, and 48% reallocated staff members from other projects. Although budgetary constraints aren’t currently ranked highly as a barrier to compliance, 66% of CISOs and senior security decision-makers believe that DORA will significantly increase cybersecurity costs in the long term.
Richard Lindsay, Principal Advisory Consultant at Orange Cyberdefense, said: “The regulatory landscape in the EU is heavily congested with several overlapping standards and laws now in effect. There is a lot to navigate, and we’re increasingly seeing businesses taking a more reactive approach to compliance requirements once the threat of reprisals becomes tangible. However, remaining non-compliant could have severe ramifications, with fines of up to 2% of global annual turnover and the potential of fines of over €1m for individual senior leadership.
“The threat landscape has never been more volatile. The financial services industry is an attractive target for bad actors, and the likelihood of breach has never been higher. By implementing the required changes, businesses can avoid unwelcome fines and negative publicity and, most importantly, build resilience against digital threats. DORA doesn’t mandate anything by way of revolutionary requirements. Most can be addressed by investing in comprehensive cyber risk assessments, integrated incident reporting, cyber resilience testing and cross-framework governance. But as is always the case in cybersecurity, the clock is ticking.”
