Nearly half of UK financial businesses not ready for a date with DORA
The EU's Digital Operational Resilience Act (DORA) comes into force tomorrow (Jan 17th) but new research shows that 43 percent of the UK's financial organizations are set to miss the deadline for compliance, with 20 percent expecting to do so by at least four months.
Although the UK is outside the EU its strong financial ties with Europe mean firms operating in or interacting with EU markets will need to align with DORA standards to continue their business relationships.
The research from Orange Cyberdefense, based on a Censuswide survey of 200 UK CISOs and senior security decision-makers, shows 88 percent believe that DORA will be beneficial, and 96 percent say it will significantly enhance overall resilience across the EU and the EU business ecosystem.
There are barriers to adopting DORA standards, however, these include a lack of prioritization from the wider organisation (28 percent), a short timeline to becoming compliant (25 percent), a lack of skills/knowledge (24 percent), and a lack of visibility over supply chain/third-party partners (23 percent). To overcome these challenges, the vast majority (97 percent) of respondents either employ (78 percent) or plan to employ (19 percent) external support to help their business become compliant with DORA.
Richard Lindsay, principal advisory consultant at Orange Cyberdefense, says:
The regulatory landscape in the EU is heavily congested with several overlapping standards and laws now in effect. There is a lot to navigate, and we're increasingly seeing businesses taking a more reactive approach to compliance requirements once the threat of reprisals becomes tangible. However, remaining non-compliant could have severe ramifications, with fines of up to two percent of global annual turnover and the potential of fines of over €1m for individual senior leadership.
The threat landscape has never been more volatile. The financial services industry is an attractive target for bad actors, and the likelihood of breach has never been higher. By implementing the required changes, businesses can avoid unwelcome fines and negative publicity and, most importantly, build resilience against digital threats. DORA doesn't mandate anything by way of revolutionary requirements. Most can be addressed by investing in comprehensive cyber risk assessments, integrated incident reporting, cyber resilience testing and cross-framework governance. But as is always the case in cybersecurity, the clock is ticking.
The introduction of DORA comes soon after another significant EU regulation, the Network and Information Systems Directive 2 (NIS2), designed to ensure consistent levels of cybersecurity, which took effect on October 17th 2024. This increased need for compliance and overlap of regulation might partly explain why businesses are struggling to keep up.
Image credit: vector.plus/depositphotos.com