Financial firms in EMEA face data resilience gaps post DORA

A recent study indicates that the majority of financial services organisations in the EMEA region acknowledge shortcomings in their data resilience efforts six months after the introduction of the EU's Digital Operational Resilience Act (DORA).

The survey, commissioned by Veeam Software and conducted by Censuswide, gathered responses from more than 400 senior IT decision makers and heads of compliance at financial services companies and banks in the UK, France, Germany, and the Netherlands. Findings show that 96% of these organisations believe improvements are necessary to meet DORA's resilience requirements, reflecting a widespread perception that current measures are inadequate.

DORA was enacted by the EU in January 2025 to bolster the financial sector's protection against cyberthreats and information and communications technology (ICT) disruptions. Despite this regulatory focus, organisations still face significant hurdles on the path to full compliance, particularly around resource allocation and complexities in managing third-party risks.

Shifting priorities

The survey reveals that the profile of DORA within the financial sector has grown substantially since its introduction. A large majority, 94% of respondents, now rank DORA higher in their organisational priorities compared to the month preceding the deadline, and 40% classify it as a current "top digital resilience priority." While half of the organisations report integrating DORA requirements into their existing resilience programmes, 39% consider it a central focus within their operations.

Impact on personnel and budgets

Compliance efforts are exerting pressure on internal teams and budgets. According to the study, 41% of organisations report increased stress and pressure on IT and security teams since DORA's implementation. Cost factors are also affecting progress, with 37% noting higher expenses due to increased charges from ICT vendors. Budgetary constraints remain a concern, with 20% yet to secure the necessary funds to achieve compliance.

In addition to operational and financial challenges, the volume of digital regulation itself is cited as a concern. For 22% of organisations, the breadth of regulation is perceived as an impediment to innovation or competition in the sector.

"It's promising to see that most organizations have embraced and feel confident about meeting DORA's requirements. Achieving compliance is an important first step in ensuring your organization is resilient but given today's complex threat landscape there's more to do. New Veeam research shows that many financial institutions still see a gap in their overall resilience and face challenges in securing the necessary budget, even as DORA grows in strategic importance. The journey to operational resilience is ongoing, and it's clear that prioritizing data resilience remains critical for organizations' long-term success."

The statement from Edwin Weijdema, EMEA Field CTO at Veeam, highlights both optimistic uptake and the longer-term effort required for resilient operations.

Gaps in implementation

The study identifies specific areas where many financial organisations have not met certain DORA requirements. Around 24% have yet to establish recovery and continuity testing, implement formal incident reporting, or identify a lead responsible for DORA implementation. Additionally, 23% have not commenced comprehensive digital operational resilience testing, and 21% have not ensured the integrity of backup procedures and secure data recovery.

Oversight of third-party risks is singled out as the most technically demanding aspect of compliance: 34% cite it as their most challenging requirement, whilst only 20% have not yet fully implemented it. The challenges stem from limited visibility into third-party operations and the extensive scope of partner networks that financial service providers must oversee.

"It's interesting to see that third-party oversight has emerged as a particular pain point for organizations. Over a third named it the most challenging to implement, and many called for additional guidance on establishing it in the first place. An often-overlooked facet of data resilience, it's promising to see that organizations are interrogating their defences to this degree – which is exactly what it was designed to do. Of course, meeting the requirements is key, but DORA was also about getting organizations to assess their resilience holistically – and in that aspect, it seems to be succeeding."

Andre Troskie, Field CISO EMEA at Veeam, commented on the difficulties of achieving oversight, while also observing that the regulation appears to be prompting a thorough self-assessment by organisations.

Regulatory feedback

Some respondents suggested that the design of DORA itself could be improved, with 22% calling for simplification, clarification, and more detailed guidance around third-party risk management. This feedback indicates a desire for regulators to provide more actionable frameworks to ease the path toward compliance for financial institutions.

To provide support for organisations seeking a structured approach to resilience, Veeam and McKinsey have developed the Data Resilience Maturity Model (DRMM). This model aims to offer a holistic, cross-functional methodology that brings together IT, security, and compliance stakeholders, allowing organisations to assess and enhance their data resilience strategies in line with regulatory expectations such as those set out by DORA.

"DORA was about more than compliance – it was about driving a holistic reassessment of digital data resilience," added Troskie. "And in that respect, it's working."