More than four-in-ten UK financial services firms look set to miss the deadline for compliance with the new Digital Operational Resilience Act (DORA) tomorrow.
Companies failing to comply with the regulations could face fines of up to 2% of worldwide daily turnover for as long as six months.
However, while nearly nine-in-ten UK CISOs and senior security decision makers believe that DORA will be beneficial, 43% said they won’t be compliant for at least three months.
"The regulatory landscape in the EU is heavily congested with several overlapping standards and laws now in effect," said Richard Lindsay, principal advisory consultant at Orange Cyberdefense, which commissioned the research.
"There is a lot to navigate, and we’re increasingly seeing businesses taking a more reactive approach to compliance requirements once the threat of reprisals becomes tangible."
"However, remaining non-compliant could have severe ramifications, with fines of up to 2% of global annual turnover and the potential of fines of over €1m for individual senior leadership."
The challenges in implementation varied from organization to organization, but included a lack of prioritization, the short timeline involved, a lack of skills, and a lack of visibility over supply chain or third-party partners, each cited by around a quarter of respondents.
To deal with these issues, virtually all said they planned to call on external support.
Budgetary constraints weren't highlighted as an issue, with 84% of respondents saying they had allocated funds ahead of the deadline. Around three-quarters have reallocated funding from other business areas, and around half have pulled in staff members from other projects.
In the longer term, though, two-thirds of CISOs and senior security decision makers believe that DORA will significantly increase cybersecurity costs.
The new regulations include more than 500 individual requirements, with businesses expected to implement essential protection, detection, containment, recovery, and repair measures.
RELATED WHITEPAPER
Rules contained in the legislation place a strong emphasis on ICT risk management, incident reporting, operational resilience testing, and oversight of ICT third-party risks.
PwC has estimated that more than 22,200 financial bodies and IT service providers fall under the scope of the act. However, the EU is expected to take a targeted approach to any breaches, focusing on larger players and significant breaches.
-
A threat to Google’s dominance? The AI browser wars have begun – here are the top contenders vying for the crownNews Perplexity has unveiled its Comet browser while OpenAI is reportedly planning to follow suit
-
Google Cloud Summit London 2025: Practical AI deploymentITPro Podcast As startups take hold of technologies such as AI agents, where is the sector headed?
-
‘Confusing for developers and bad for users’: Apple launches appeal over ‘unprecedented’ EU fineNews Apple is pushing back against new app store rules imposed by the European Commission, suggesting a €500m fine is a step too far.
-
When IT and operational resilience meet: Staying one step ahead of regulation and rogue threatsCyber incidents are not only high, but growing, and ICT suppliers can find themselves on the hook if the worst happens
-
Why DORA is bigger than just a financial sector compliance check box exerciseThe EU’s landmark digital resilience legislation has issued a wake-up call for adopting a continuous approach to cybersecurity
-
DORA 6 months on: What’s still left to learn and do?Compliance doesn’t have to be a scramble, and choosing the right vendor can be the difference between success and failure
-
Public sector workers are sweating over AI security threatsNews Nearly a third of public sector IT professionals are seriously concerned about the security dangers of AI.
-
‘Europe could do it, but it's chosen not to do it’: Eric Schmidt thinks EU regulation will stifle AI innovation – but Britain has a huge opportunityNews Former Google CEO Eric Schmidt believes EU AI regulation is hampering innovation in the region and placing enterprises at a disadvantage.
-
We spoke to over 700 IT leaders to hear their tech strategy plans for 2025 – here's what we learnedNews ITPro's Future Focus report shows AI, cybersecurity, and cloud remain top of the priority list for IT leaders in 2025.
-
A big enforcement deadline for the EU AI Act just passed – here's what you need to knowNews The first set of compliance deadlines for the EU AI Act passed on the 2nd of February, and enterprises are urged to ramp up preparations for future deadlines.
