Although they have had two years to prepare for the incoming legislation, a study has today revealed that a significant minority of UK financial services organisations are set to miss the 17 January 2025 deadline to comply with the European Union’s (EU’s) Digital Operational Resilience Act (DORA).

According to the Censuswide survey commissioned by Orange Cyberdefense, 43% of British financial services organisations say they are still exploring DORA and will not be compliant for another three months at least, putting them at significant risk of regulatory fines.

The 200 UK chief information security officers and cyber decision-makers polled on Orange’s behalf overwhelmingly believed DORA would be beneficial and would significantly enhance overall resilience across the EU and its wider ecosystem.

Yet barriers to compliance persist, with respondents to the survey describing a plethora of issues – most of them relating to their own organisation rather than the DORA legislation. Orange found these issues include a lack of prioritisation in the wider organisation (28%), a short timeline to becoming compliant (25%), a lack of specific skills and knowledge (24%), and a lack of visibility into supply chains and third-party partners (23%). To overcome these, 97% said they were considering enlisting external support.

Some 84% said they had been given enough or more than enough budget to become compliant, and a parallel study from Rubrik Zero Labs today reported that about 47% of UK financial services organisations had spent over €1m (£842,000) on compliance measures.

“The regulatory landscape in the EU is heavily congested, with several overlapping standards and laws now in effect. There is a lot to navigate, and we’re increasingly seeing businesses taking a more reactive approach to compliance requirements once the threat of reprisals becomes tangible,” said Richard Lindsay, principal advisory consultant at Orange Cyberdefense.

“However, remaining non-compliant could have severe ramifications, with fines of up to 2% of global annual turnover and the potential of fines of over €1m for individual senior leadership.

“The threat landscape has never been more volatile. The financial services industry is an attractive target for bad actors, and the likelihood of breach has never been higher. By implementing the required changes, businesses can avoid unwelcome fines and negative publicity and, most importantly, build resilience against digital threats,” Lindsay added.

“DORA doesn’t mandate anything by way of revolutionary requirements. Most can be addressed by investing in comprehensive cyber risk assessments, integrated incident reporting, cyber resilience testing and cross-framework governance. But, as is always the case in cyber security, the clock is ticking.”

Orange additionally noted that given the formal introduction of DORA comes just three months after the EU stood up the Network and Information Systems Directive 2 (NIS2) in October 2024, the need to address broader cyber compliance demands and overlapping requirements in both sets of regulations may explain why the majority of respondents are feeling positive about DORA, despite anticipating delays in achieving compliance.