More than four-in-ten UK financial services firms look set to miss the deadline for compliance with the new Digital Operational Resilience Act (DORA) tomorrow.
Companies failing to comply with the regulations could face fines of up to 2% of worldwide daily turnover for as long as six months.
However, while nearly nine-in-ten UK CISOs and senior security decision makers believe that DORA will be beneficial, 43% said they won’t be compliant for at least three months.
"The regulatory landscape in the EU is heavily congested with several overlapping standards and laws now in effect," said Richard Lindsay, principal advisory consultant at Orange Cyberdefense, which commissioned the research.
"There is a lot to navigate, and we’re increasingly seeing businesses taking a more reactive approach to compliance requirements once the threat of reprisals becomes tangible."
"However, remaining non-compliant could have severe ramifications, with fines of up to 2% of global annual turnover and the potential of fines of over €1m for individual senior leadership."
The challenges in implementation varied from organization to organization, but included a lack of prioritization, the short timeline involved, a lack of skills, and a lack of visibility over supply chain or third-party partners, each cited by around a quarter of respondents.
To deal with these issues, virtually all said they planned to call on external support.
Budgetary constraints weren't highlighted as an issue, with 84% of respondents saying they had allocated funds ahead of the deadline. Around three-quarters have reallocated funding from other business areas, and around half have pulled in staff members from other projects.
In the longer term, though, two-thirds of CISOs and senior security decision makers believe that DORA will significantly increase cybersecurity costs.
The new regulations include more than 500 individual requirements, with businesses expected to implement essential protection, detection, containment, recovery, and repair measures.
RELATED WHITEPAPER
Rules contained in the legislation place a strong emphasis on ICT risk management, incident reporting, operational resilience testing, and oversight of ICT third-party risks.
PwC has estimated that more than 22,200 financial bodies and IT service providers fall under the scope of the act. However, the EU is expected to take a targeted approach to any breaches, focusing on larger players and significant breaches.
-
Is the traditional MSP service desk dead?Industry Insights AI and B2C expectations are reshaping B2B service desks and MSP strategy
-
From phone calls to roll calls: 3CX has the answerHow Yellowgrid, a 3CX Platinum distributor, has taken advantage of 3CX Phone System’s customisable nature to create a time-saving solution already embraced by over 100 UK schools
-
The second enforcement deadline for the EU AI Act is approaching – here’s what businesses need to know about the General-Purpose AI Code of PracticeNews General-purpose AI model providers will face heightened scrutiny
-
Meta isn’t playing ball with the EU on the AI ActNews Europe is 'heading down the wrong path on AI', according to Meta, with the company accusing the EU of overreach
-
‘Confusing for developers and bad for users’: Apple launches appeal over ‘unprecedented’ EU fineNews Apple is pushing back against new app store rules imposed by the European Commission, suggesting a €500m fine is a step too far.
-
When IT and operational resilience meet: Staying one step ahead of regulation and rogue threatsCyber incidents are not only high, but growing, and ICT suppliers can find themselves on the hook if the worst happens
-
Why DORA is bigger than just a financial sector compliance check box exerciseThe EU’s landmark digital resilience legislation has issued a wake-up call for adopting a continuous approach to cybersecurity
-
DORA 6 months on: What’s still left to learn and do?Compliance doesn’t have to be a scramble, and choosing the right vendor can be the difference between success and failure
-
Public sector workers are sweating over AI security threatsNews Nearly a third of public sector IT professionals are seriously concerned about the security dangers of AI.
-
‘Europe could do it, but it's chosen not to do it’: Eric Schmidt thinks EU regulation will stifle AI innovation – but Britain has a huge opportunityNews Former Google CEO Eric Schmidt believes EU AI regulation is hampering innovation in the region and placing enterprises at a disadvantage.
