DORA: 43% of UK financial services unprepared for EU regulation, Censuswide survey finds.

LONDON, United Kingdom - January 16, 2025 -  New research from Orange Cyberdefense, Orange's specialist cybersecurity business unit and a leader in cybersecurity services in Europe, reveals that 43% of the UK financial services industry will miss the Digital Operational Resilience Act (DORA) deadline when the European Union’s (EU) latest regulation takes effect on January 17th. The risk for the 43% is significant given the financial fines that can be levied for non-compliance with DORA of up to 1% of worldwide daily turnover for as long as six months.

A Censuswide survey of 200 UK CISOs and senior security decision-makers, commissioned by Orange Cyberdefense, reveals that the majority of senior security professionals see the value in the EU’s efforts to strengthen the financial sector's resilience against digital threats. Nearly 9 in 10 (88%) believe that DORA will be beneficial, and even more (96%) say it will significantly enhance overall resilience across the EU and the EU business ecosystem.

Barriers to DORA compliance

Despite this positive sentiment, several barriers to compliance persist. The challenges described by security professionals are varied, emphasising these barriers are organisation-specific, rather than broader issues with the compliance process. These include a lack of prioritisation from the wider organisation (28%), a short timeline to becoming compliant (25%), a lack of skills/knowledge (24%), and a lack of visibility over supply chain/third-party partners (23%). To overcome these challenges, the vast majority (97%) of respondents either employ (78%) or plan to employ (19%) external support to help their business become compliant with DORA.

It’s noteworthy that DORA comes hot on the heels of another significant EU regulation, the Network and Information Systems Directive 2 (NIS2), which took effect on October 17th 2024. The persistent need to address broader compliance demands and the overlapping nature of requirements might explain why the vast majority of respondents rated the preparedness of their organisation so highly – 92% were feeling either very positive or somewhat positive about their organisation’s preparedness ahead of the DORA deadline this month. Despite this, a staggering 43% of respondents are due to miss the deadline, and 20% expect to do so by at least four months.

Compliance budgets

Typically, budgetary constraints have been a significant hurdle for cybersecurity teams to overcome. However, 84% of respondents felt that their organisation had made more than enough budget available to become compliant with DORA. This marks a departure from the norm, with limited budgets and the turbulent economic situation often cited as problematic by senior cybersecurity professionals.

To meet compliance requirements, 78% of respondents reallocated the budget from other business areas, and 48% reallocated staff members from other projects. Although budgetary constraints aren’t currently ranked highly as a barrier to compliance, 66% of CISOs and senior security decision-makers believe that DORA will significantly increase cybersecurity costs in the long term.

Richard Lindsay, Principal Advisory Consultant at Orange Cyberdefense, said: “The regulatory landscape in the EU is heavily congested with several overlapping standards and laws now in effect. There is a lot to navigate, and we’re increasingly seeing businesses taking a more reactive approach to compliance requirements once the threat of reprisals becomes tangible. However, remaining non-compliant could have severe ramifications, with fines of up to 2% of global annual turnover and the potential of fines of over €1m for individual senior leadership.

“The threat landscape has never been more volatile. The financial services industry is an attractive target for bad actors, and the likelihood of breach has never been higher. By implementing the required changes, businesses can avoid unwelcome fines and negative publicity and, most importantly, build resilience against digital threats. DORA doesn’t mandate anything by way of revolutionary requirements. Most can be addressed by investing in comprehensive cyber risk assessments, integrated incident reporting, cyber resilience testing and cross-framework governance. But as is always the case in cybersecurity, the clock is ticking.”

About the Digital Operational Resilience Act (DORA)

Achieving DORA compliance requires businesses to implement essential protection, detection, containment, recovery, and repair measures, introducing clear rules for ICT risk management, incident reporting, operational resilience testing, and oversight of ICT third-party risks. For more information, see here. 

About the study

Censuswide conducted this research on behalf of Orange Cyberdefense between December 18th and 31st, 2024. The survey included 200 CISOs and senior security decision-makers from financial services companies with more than 1,000 employees in the UK—a non-EU member state significantly impacted by DORA due to its business ties with EU countries. The study was nationally representative.

Press contact

Edward Cooper

Babel PR for Orange Cyberdefense

orangecyberdefense@babelpr.com

+44 (0)20 7434 5550