It’s no surprise to me that financial services organisations missed the 17 January2025 deadline to be in compliance with the European Union’s Digital Operational Resilience Act (DORA). I personally have not met a CIO or CISO who thought this deadline was realistic.

Even back in January, research from Orange Cyberdefense saw 43% of respondents in the industry admit they would not be compliant by the deadline. In March, Clear Junction revealed 86% of financial services organisations were not fully compliant and more worryingly Skillcast’s DORA readiness report showed huge variation in the resilience of these institutions’ IT infrastructures. The banking and lending subsector stood out as the least prepared for compliance while the financial transaction processing subsector was the most vulnerable to cyber threats.

Given we have known this deadline was coming, why such inconsistency when it comes to readiness?

The reality is that cyber security strategies are always dealing with moving targets. Today, your organisation could feel secure and in compliance with DORA, but tomorrow the vulnerability landscape could change. New threats are introduced all the time. For example, you could implement a new supplier technology which could create new vulnerabilities in the supply chain, or the regulations themselves could change. In the UK, we are still expecting the Cyber Security and Resilience Bill at some point this year. The Government has announced its proposals but it is still to be confirmed when it will come into effect.