A recent Censuswide survey, commissioned by Veeam Software, indicates that a significant majority of financial services organizations in EMEA (Europe, Middle East, and Africa) are still not fully ready for the EU's Digital Operational Resilience Act (DORA), six months after its application date of January 17, 2025.
Key findings from the survey, which included senior IT decision-makers and heads of compliance from financial services companies and banks with over 500 employees across the UK, France, Germany, and the Netherlands, reveal that:
96% of EMEA financial services organizations believe their current level of data resilience falls short of DORA's requirements and needs improvement.
While DORA has become a strategic priority for 94% of organizations, and 40% consider it a "top digital resilience priority," many are still grappling with implementation challenges.
Specific areas of concern where many organizations have not yet met DORA requirements include:
24% have not established recovery and continuity testing.
24% have not implemented formal incident reporting.
24% have not identified a DORA implementation lead.
23% have not conducted comprehensive digital operational resilience testing.
21% have not ensured backup integrity and secure data recovery.
Oversight of third-party risks is cited as the most technically challenging aspect of compliance by 34% of organizations.
Challenges faced by organizations in their DORA compliance journey include:
Increased stress and pressure on IT and security teams (41%).
Higher costs passed on by ICT vendors (37%).
The volume of digital regulation becoming a barrier to innovation or competition (22%).
Lack of necessary budget (20%).
Despite these challenges, the survey notes that most organizations are clear on the steps they need to take. However, the findings underscore that while DORA has raised awareness and prioritization of digital resilience, there is still substantial work to be done across the financial sector to achieve full compliance.
About EU DORA:
The Digital Operational Resilience Act (DORA) is an EU regulation that aims to strengthen the information and communication technology (ICT) security of financial entities. It establishes a comprehensive framework for managing ICT risks, including:
ICT risk management and governance: Defining principles and requirements for a robust ICT risk management framework.
ICT-related incident management, classification, and reporting: Standardizing the process for identifying, managing, and reporting significant ICT incidents.
Digital operational resilience testing: Requiring regular testing of ICT systems, including threat-led penetration testing for critical entities.
ICT third-party risk management: Enhancing oversight of critical ICT third-party service providers.
Information sharing arrangements: Promoting the exchange of information and intelligence on cyber threats.
DORA entered into force on January 16, 2023, and became applicable on January 17, 2025. It applies to a broad range of financial entities, including banks, insurance companies, investment firms, and their critical third-party ICT service providers.