The European Union’s (EU) latest regulation, the Digital Operational Resilience Act (DORA) is set to come into effect tomorrow, but according to research from Orange Cyberdefense, Orange’s specialist cybersecurity business unit, 43 per cent of UK financial firms will miss the deadline and could face fines of up to one per cent of worldwide daily turnover for as long as six months.
The Orange Cyberdefense survey, examining 200 UK CISOs and senior security decision makers (surveyed by research consultant, Censuswide), found that 88 per cent of respondents believe DORA will be beneficial. Further showing support for the EU’s effort to strengthen the financial sector’s resilience against digital threats, 96 per cent of respondents say DORA will significantly enhance overall resilience across the EU and the EU business ecosystem.
Despite this positive sentiment, several barriers to compliance persist. The challenges described by security professionals are varied, emphasising these barriers are organisation-specific, rather than broader issues with the compliance process. These include:
- a lack of prioritisation from the wider organisation (28 per cent)
- a short timeline to becoming compliant (25 per cent)
- a lack of skills/knowledge (24 per cent)
- a lack of visibility over supply chain/third-party partners (23 per cent)
To overcome these challenges, 97 per cent of respondents either employ (78 per cent) or plan to employ (19 per cent) external support to help their business become compliant with DORA.
Addressing compliance challenges
It’s noteworthy that DORA comes hot on the heels of another significant EU regulation, the Network and Information Systems Directive 2 (NIS2), which took effect on 17 October 2024.
The persistent need to address broader compliance demands and the overlapping nature of requirements might explain why the vast majority of respondents rated the preparedness of their organisation so highly – 92 per cent were feeling either very positive or somewhat positive about their organisation’s preparedness ahead of the DORA deadline this month. Despite this, a staggering 43 per cent of respondents are due to miss the deadline, and 20 per cent expect to do so by at least four months.
To meet compliance requirements, 78 per cent of respondents reallocated the budget from other business areas, and 48 per cent reallocated staff members from other projects. Traditionally, budgetary constraints have been a significant hurdle for cybersecurity teams to overcome. However, preparation for DORA breaks this trend, as 84 per cent of firms felt they had enough budget to become compliant.
Although budgetary constraints aren’t currently ranked highly as a barrier to compliance, 66 per cent of CISOs and senior security decision-makers believe that DORA will significantly increase cybersecurity costs in the long term.
Avoiding unwelcome fines and negative publicity
Richard Lindsay, principal advisory consultant at Orange Cyberdefense said: “The regulatory landscape in the EU is heavily congested with several overlapping standards and laws now in effect. There is a lot to navigate, and we’re increasingly seeing businesses taking a more reactive approach to compliance requirements once the threat of reprisals becomes tangible.
“However, remaining non-compliant could have severe ramifications, with fines of up to two per cent of global annual turnover and the potential of fines of over €1million for individual senior leadership.
“The threat landscape has never been more volatile. The financial services industry is an attractive target for bad actors, and the likelihood of breach has never been higher. By implementing the required changes, businesses can avoid unwelcome fines and negative publicity and, most importantly, build resilience against digital threats. DORA doesn’t mandate anything by way of revolutionary requirements.
“Most can be addressed by investing in comprehensive cyber risk assessments, integrated incident reporting, cyber resilience testing and cross-framework governance. But as is always the case in cybersecurity, the clock is ticking.”
