UK financial services firms are scrambling to comply with DORA regulations
Lack of prioritization and tight implementation schedules mean many aren’t compliant


More than four-in-ten UK financial services firms look set to miss the deadline for compliance with the new Digital Operational Resilience Act (DORA) tomorrow.
Companies failing to comply with the regulations could face fines of up to 2% of worldwide daily turnover for as long as six months.
However, while nearly nine-in-ten UK CISOs and senior security decision makers believe that DORA will be beneficial, 43% said they won’t be compliant for at least three months.
"The regulatory landscape in the EU is heavily congested with several overlapping standards and laws now in effect," said Richard Lindsay, principal advisory consultant at Orange Cyberdefense, which commissioned the research.
"There is a lot to navigate, and we’re increasingly seeing businesses taking a more reactive approach to compliance requirements once the threat of reprisals becomes tangible."
"However, remaining non-compliant could have severe ramifications, with fines of up to 2% of global annual turnover and the potential of fines of over €1m for individual senior leadership."
The challenges in implementation varied from organization to organization, but included a lack of prioritization, the short timeline involved, a lack of skills, and a lack of visibility over supply chain or third-party partners, each cited by around a quarter of respondents.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
To deal with these issues, virtually all said they planned to call on external support.
Budgetary constraints weren't highlighted as an issue, with 84% of respondents saying they had allocated funds ahead of the deadline. Around three-quarters have reallocated funding from other business areas, and around half have pulled in staff members from other projects.
In the longer term, though, two-thirds of CISOs and senior security decision makers believe that DORA will significantly increase cybersecurity costs.
The new regulations include more than 500 individual requirements, with businesses expected to implement essential protection, detection, containment, recovery, and repair measures.
RELATED WHITEPAPER
Rules contained in the legislation place a strong emphasis on ICT risk management, incident reporting, operational resilience testing, and oversight of ICT third-party risks.
PwC has estimated that more than 22,200 financial bodies and IT service providers fall under the scope of the act. However, the EU is expected to take a targeted approach to any breaches, focusing on larger players and significant breaches.
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
AI coding tools are booming – and developers in this one country are by far the most frequent users
News AI coding tools are soaring in popularity worldwide, but developers in one particular country are among the most frequent users.
-
Cisco warns of critical flaw in Unified Communications Manager – so you better patch now
News While the bug doesn't appear to have been exploited in the wild, Cisco customers are advised to move fast to apply a patch
-
Why DORA is bigger than just a financial sector compliance check box exercise
The EU’s landmark digital resilience legislation has issued a wake-up call for adopting a continuous approach to cybersecurity
-
DORA 6 months on: What’s still left to learn and do?
Compliance doesn’t have to be a scramble, and choosing the right vendor can be the difference between success and failure
-
Public sector workers are sweating over AI security threats
News Nearly a third of public sector IT professionals are seriously concerned about the security dangers of AI.
-
‘Europe could do it, but it's chosen not to do it’: Eric Schmidt thinks EU regulation will stifle AI innovation – but Britain has a huge opportunity
News Former Google CEO Eric Schmidt believes EU AI regulation is hampering innovation in the region and placing enterprises at a disadvantage.
-
We spoke to over 700 IT leaders to hear their tech strategy plans for 2025 – here's what we learned
News ITPro's Future Focus report shows AI, cybersecurity, and cloud remain top of the priority list for IT leaders in 2025.
-
A big enforcement deadline for the EU AI Act just passed – here's what you need to know
News The first set of compliance deadlines for the EU AI Act passed on the 2nd of February, and enterprises are urged to ramp up preparations for future deadlines.
-
A CSO’s perspective on DORA compliance and where to go from here
Analysis With DORA coming into force, here’s what security leaders should know about pain points and planning
-
CISOs are working harder than ever, but their pay isn’t keeping pace
News Many CISOs are being asked to take on more responsibility for domains that would normally lie outside of their remit