It's DORA Day. Is Your Organisation Ready?

As the EU's Digital Operational Resilience Act (DORA) takes effect today, 17th January 2025, a startling revelation has emerged: 43% of UK financial services institutions will miss the compliance deadline, despite having had two years to prepare. 

This significant delay could expose these organisations to substantial penalties, including fines of up to 1% of worldwide daily turnover for up to six months.

Industry Support Despite Implementation Challenges

The regulation, which affects everyone from traditional banks to fintech startups, comes at a particularly complex time, following closely behind another significant EU regulation, the Network and Information Systems Directive 2 (NIS2), which took effect on October 17th 2024. 

The overlapping nature of these requirements and the need to address broader compliance demands adds another layer of complexity to implementation.

“The regulatory landscape in the EU is heavily congested with several overlapping standards and laws now in effect,” explains Richard Lindsay, Principal Advisory Consultant at Orange Cyberdefense. 

“There is a lot to navigate, and we're increasingly seeing businesses taking a more reactive approach to compliance requirements once the threat of reprisals becomes tangible. 

“However, remaining non-compliant could have severe ramifications, with fines of up to 2% of global annual turnover and the potential of fines of over €1m for individual senior leadership.”

Barriers to Implementation and Resource Allocation

The challenges facing organisations are diverse and notably organisation-specific, rather than broader issues with the compliance process. 

The survey from Orange Cyberdefense revealed that 28% cite lack of prioritisation from the wider organisation as a barrier, while 25% point to the short timeline for compliance. 

Other significant hurdles include skills and knowledge gaps (24%) and lack of visibility over supply chain and third-party partners (23%).

Interestingly, budget constraints aren't the primary obstacle. The survey found that 84% of respondents felt their organisation had made more than enough budget available for DORA compliance. 

However, 78% had to reallocate budget from other business areas, and 48% reassigned staff from other projects to meet the requirements. 

Despite this financial commitment, 66% of CISOs and senior security decision-makers believe that DORA will significantly increase cybersecurity costs in the long term.

The UK Context and Broader Implications

Mark Dearman, Director of Industry Banking Solutions at FintechOS, notes the broader context: “The UK's mandatory reimbursement requirement in 2024 has significantly spurred financial institutions to bolster their security measures. 

“This requirement, coupled with the impending implementation of DORA, has created a dual imperative for enhanced cybersecurity and operational resilience in the financial sector.”

“While the UK is no longer part of the EU, many UK financial institutions operating in or with EU markets must still comply with DORA, creating a ripple effect on UK cybersecurity practices,” Dearman adds. 

“Several UK banks have diversified cloud service providers to reduce dependency on a single provider, mitigating concentration risk. 

“In addition, institutions are addressing challenges posed by outdated systems, focusing on data unification and improved monitoring capabilities.”

Grant Harper, Global Lead for Financial Services at ITRS, emphasises the operational challenges: “A core requirement under DORA is for financial entities to establish robust processes to identify and assess ICT risks, ensuring they can pre-empt and respond to potential threats effectively.

“Firms therefore need complete visibility over their IT stack. This is no small task, particularly for financial entities with complex, multi-cloud environments.”

The Path to Compliance

For the 43% of organisations still working toward compliance, the survey indicates that 20% expect to miss the deadline by at least four months. 

Despite this delay, the survey shows remarkably high confidence, with 92% feeling either very positive or somewhat positive about their organisation's preparedness. 

The vast majority (97%) of respondents either employ (78%) or plan to employ (19%) external support to help their business become compliant with DORA.

“Anecdotally, industry readiness is high,” notes Harper. “Firms have had years to prepare, and the various supervisory authorities responsible for the implementation have been proactive in providing education and resources to ensure all participants understand the requirements. 

“However, as is the case with any big change, I expect there to be some bumps along the road and it will inevitably take the industry a bit of time to fully adapt.”

Banks are increasingly adopting a 'hollowing out the core' strategy to gradually move from monolithic core platforms to more flexible, modular architectures. 

This technological transformation, while challenging, aligns with DORA's requirements for enhanced operational resilience.

As we enter this new era of regulatory oversight, the message is clear: preparation and adaptation are key.

The threat landscape has never been more volatile, and as Lindsay points out: “The financial services industry is an attractive target for bad actors, and the likelihood of breach has never been higher. 

“By implementing the required changes, businesses can avoid unwelcome fines and negative publicity and, most importantly, build resilience against digital threats.”

Organisations that act now to build robust digital operational resilience frameworks will find themselves better positioned not just for regulatory compliance, but for long-term success in an increasingly digitised financial sector. 

The clock is ticking for UK institutions to meet these new standards, but with proper planning and resource allocation, compliance is achievable.

Explore the latest edition of FinTech Magazine and be part of the conversation at our global conference series, FinTech LIVE. 

Discover all our upcoming events and secure your tickets today.

FinTech Magazine is a BizClik brand