Six months into DORA, most financial firms are still not ready

Six months into DORA, most financial firms are still not ready

It’s been six months since the EU’s Digital Operational Resilience Act (DORA) came into effect, but a new Censuswide survey shows that nearly all financial services organizations in EMEA still feel unprepared. An overwhelming 96% of respondents said their current level of data resilience isn’t where it needs to be.

The survey, which gathered input from senior IT decision-makers in the UK, France, Germany, and the Netherlands, paints a clear picture: financial institutions are still struggling to meet the demands of DORA, the EU’s new framework designed to help the industry defend against cyberthreats and IT disruptions.

While DORA has been embedded as a strategic priority across the financial sector, many organizations are still navigating the path to compliance. The survey found that 94% of organizations surveyed now rank DORA higher in their organizational priorities than they did in the month before the deadline, with 40% calling it a current “top digital resilience priority.” Half of the respondents said DORA requirements have been integrated into their broader resilience programs, while 39% reported it remains a central focus.

The unintended consequences of DORA

Even with 94% of organizations clear on the steps they need to take; many are facing unforeseen challenges:

  • 41% report increased stress and pressure on IT and security teams.
  • 37% are dealing with higher costs passed on by ICT vendors.
  • 22% believe the volume of digital regulation is becoming a barrier to innovation or competition.
  • 20% have yet to secure the necessary budget to meet DORA requirements.

DORA: Still a work in progress

Despite this prioritization, many organizations are still working to meet key DORA requirements:

  • 24% have not established recovery and continuity testing.
  • 24% have not implemented incident reporting.
  • 24% have not identified a DORA implementation lead.
  • 23% have not conducted digital operational resilience testing.
  • 21% have not ensured backup integrity and secure data recovery.

The most challenging DORA requirement? Third-party risk oversight, with 34% of organizations citing it as the hardest to implement, despite only 20% yet to do so. There are many possible reasons for this, from the limited visibility many organizations have into their third-party operations to the sheer scale of third-party networks.

“It’s interesting to see that third-party oversight has emerged as a particular pain point for organizations. Over a third named it the most challenging to implement, and many called for additional guidance on establishing it in the first place. An often-overlooked facet of data resilience, it’s promising to see that organizations are interrogating their defences to this degree – which is exactly what it was designed to do. Of course, meeting the requirements is key, but DORA was also about getting organizations to assess their resilience holistically – and in that aspect, it seems to be succeeding,” said Andre Troskie, Field CISO EMEA at Veeam.

Additionally, 22% of organizations felt that DORA’s design could have been improved to aid compliance, with calls for simplification, clarification, and more detailed third-party risk guidance.


Source link