43% of UK financial sector not ready for DORA compliance

Yesterday

New research by Orange Cyberdefense reveals that 43% of the UK financial services industry will not be compliant with the Digital Operational Resilience Act (DORA) as it becomes effective.

The study highlights a significant gap in readiness among UK institutions as DORA comes into force. Despite having two years to prepare and sufficient organisational awareness and financial resources, many in the sector anticipate a delay of at least three months before achieving compliance. Financial penalties for non-compliance can reach up to 1% of a company's worldwide daily turnover for six months.

The research involved a survey by Censuswide of 200 UK Chief Information Security Officers (CISOs) and senior security decision-makers. A majority of respondents see the EU's move to enhance the resilience of the financial sector positively, with 88% affirming that DORA will be beneficial and 96% believing it will significantly improve resilience across the EU business landscape.

Several obstacles have been identified as barriers to DORA compliance. These issues include a lack of prioritisation from the wider organisation (28%), a short timeline towards achieving compliance (25%), and a deficit of skills or knowledge (24%). Additionally, 97% of respondents have either employed or plan to employ external support to meet compliance goals.

The coordination of DORA has followed the implementation of another EU regulation, the Network and Information Systems Directive 2 (NIS2), which came into effect in October 2024. Despite organisations' generally positive outlook on their preparedness, with 92% feeling capable ahead of the DORA deadline, nearly half will miss the compliance deadline.

On the financial side, most organisations do not cite budgetary constraints as a significant hurdle, a departure from typical concerns where budget limits affect cybersecurity efforts. Indeed, 84% of respondents indicated having adequate funding available for compliance efforts, though 78% reallocated funding from other business areas, and 48% reassigned staff from different projects. Despite this, 66% anticipate DORA will increase cybersecurity costs in the long run.

Richard Lindsay, Principal Advisory Consultant at Orange Cyberdefense, commented on the complex regulatory landscape and the risks of non-compliance. He said: "The regulatory landscape in the EU is heavily congested with several overlapping standards and laws now in effect. There is a lot to navigate, and we're increasingly seeing businesses taking a more reactive approach to compliance requirements once the threat of reprisals becomes tangible. However, remaining non-compliant could have severe ramifications, with fines of up to 2% of global annual turnover and the potential of fines of over €1m for individual senior leadership.

"The threat landscape has never been more volatile. The financial services industry is an attractive target for bad actors, and the likelihood of breach has never been higher. By implementing the required changes, businesses can avoid unwelcome fines and negative publicity and, most importantly, build resilience against digital threats. DORA doesn't mandate anything by way of revolutionary requirements. Most can be addressed by investing in comprehensive cyber risk assessments, integrated incident reporting, cyber resilience testing and cross-framework governance. But as is always the case in cybersecurity, the clock is ticking."

Share on: