Only 57% of financial services organisations in the UK are prepared to meet the compliance requirements of the Digital Operational Resilience Act (DORA), according to a new study. This finding is based on a Censuswide survey commissioned by Orange Cyberdefense, involving 200 UK-based CISOs and senior security decision-makers.
DORA establishes a regulatory framework to enhance ICT resilience in EU financial institutions. Key measures include ICT risk management, incident reporting, resilience testing, and oversight of third-party providers. The regulation shifts focus from capital-based risk management to proactive measures targeting ICT vulnerabilities. Leadership accountability is a central aspect of DORA, with CEOs and executive committees now responsible for defining and overseeing compliance strategies. Meeting these requirements requires organisations to integrate risk management, incident response, and third-party governance into a unified framework.
Orange Cyberdefense’s survey highlighted that 88% of respondents viewed the regulation as beneficial, while 96% believed it would strengthen resilience across the European Union’s (EU) financial ecosystem. Despite this optimism, a significant number of organisations remain unprepared to implement the required changes. Non-compliance with DORA could result in penalties of up to 1% of global daily turnover for as long as six months.
“The financial services industry is an attractive target for bad actors, and the likelihood of breach has never been higher,” said Orange Cyberdefense’s principal advisory consultant Richard Lindsay. “By implementing the required changes, businesses can avoid unwelcome fines and negative publicity and, most importantly, build resilience against digital threats. DORA doesn’t mandate anything by way of revolutionary requirements. Most can be addressed by investing in comprehensive cyber risk assessments, integrated incident reporting, cyber resilience testing and cross-framework governance.”
Compliance steps for financial organisations
Several organisation-specific challenges were identified as major obstacles to meeting DORA requirements. Among respondents, 28% cited limited prioritisation within their organisations, 25% pointed to time constraints, 24% mentioned gaps in skills and knowledge, and 23% highlighted limited visibility into supply chains and third-party vendors. To overcome these barriers, 78% of organisations have already sought external support, with an additional 19% planning to do so.
Budget constraints, often cited as a hurdle in cybersecurity, were less of a concern in this case. The survey found that 84% of respondents believe their organisations have allocated sufficient budgets for DORA compliance. To meet financial requirements, 78% of respondents reported reallocating budgets from other business areas, while 48% reassigned staff from other projects. However, 66% of respondents expect long-term cybersecurity costs to rise significantly as a result of DORA compliance.
The implementation of DORA follows the introduction of the Network and Information Systems Directive 2 (NIS2) in October 2024. The overlap between these two regulatory frameworks has added complexity to compliance efforts. While 92% of respondents expressed confidence in their organisation’s readiness, 20% anticipate delays of at least four months, and 43% are expected to miss the compliance deadline entirely.
The more profound challenge for companies may prove to be the change in culture necessary to guarantee compliance with DORA in the long term, said Capgemini’s head of UK financial services, Desre Sheen. “Additionally,” she said, “all plans need to be living documents, as the definition of a critical business service may change. It’s also important to be mindful that all regulations require a certain level of interpretation, and that means not every firm will be equally compliant.”
AI may prove a balm for those organisations worried that their current workforce is too stretched as it is to comply with the new law, argued Splunk’s chief strategy advisor for the EMEA region, James Hodge. “By going beyond regulatory compliance and investing in predictive analytics, advanced AI-driven threat detection, and continuous supply chain monitoring,” said Hodge, “they can prepare for the inevitable evolution of these standards.”
Read more: DORA the enforcer: is the financial services sector ready for the new regulation?
