Few industries are under the same level of regulatory scrutiny as financial services. New frameworks are introduced all the time, and for good reason: the sector underpins national infrastructure and is a prime target for cyberattacks and fraud. In other words, regulation has to be watertight.
The EU’s Digital Operational Resilience Act (DORA) is the latest in a long list of measures designed to raise the bar on how financial institutions and their third-party providers prepare for, withstand, and recover from disruption. Introduced in January, it focuses on incident reporting, third-party oversight and resilience testing. But six months on, nearly all financial services organisations surveyed (96%) acknowledge they still need to strengthen their resilience to meet the regulation’s requirements.
So what’s slowing things down? And what will actually help firms move forward?
Easing the strain on teams
One of the biggest side effects of DORA so far has been the extra load it puts on IT and security teams – 41% of organisations surveyed cited it as a significant challenge when meeting DORA requirements. Given that the cybersecurity sector is already a high-pressure industry, it’s no surprise that burnout is an ongoing problem. However, meeting DORA requirements does not should not contribute to this problem so much.
The answer isn’t to add DORA as just another project to complete on an already crowded list. Instead, firms need to treat resilience more holistically. Using data resilience maturity models (DRMMs) allows DORA compliance to be part of a bigger resilience plan, rather than an isolated exercise. This approach not only takes pressure off teams but also improves businesses’ data resilience as a whole.
“Testing, testing…”
Another sticking point in meeting compliance requirements is the challenges around testing. Nearly a quarter of EMEA firms still don’t have recovery and continuity testing in place, and almost as many haven’t started resilience testing at all. That’s risky.
Without regular testing, there’s no way to know whether new controls will actually work when they’re needed. Running that first test can feel daunting – believe me, I know. No one wants to uncover problems that might be a pain to fix. But in reality, testing is one of the best ways to make progress. It’s a clear DORA requirement, but more importantly, it builds confidence that systems will hold up in the face of a real cyber incident.
Rethinking third-party relationships Finally, the last major hurdle to DORA compliance is third-party oversight – over a third of organisations call it the “most challenging to implement”, and a fifth haven’t addressed it at all.
The main issue? Most firms underestimated just how many external providers they rely on. The average enterprise has 88 third-party partners, which is far more than most resilience strategies account for, and a massive number of connections to keep up with. In the past, financial firms often assumed these providers had resilience built in, but DORA demands more: clear responsibility models and transparent SLAs that spell out exactly who is accountable for what.
That means renegotiating contracts and bringing together security, risk, legal and management teams to get it done. It’s not a small task, but it’s a necessary one if organisations want genuine confidence in their resilience.
Looking ahead
The compliance issues around DORA won’t be resolved overnight. After all, building resilience takes time, and there will inevitably be bumps in the road. But firms that approach DORA as part of a broader resilience journey, rather than a standalone compliance project, will ultimately come out stronger because of it.
The best place to start is with some honest questions: Where are my company’s weak spots? Do we really know how resilient our suppliers are? And are we testing enough to trust our defences? The answers may be uncomfortable in the short term, but they’re the foundation of long-term confidence in data resilience – for DORA and well beyond.
-Ends-
