On January 17th, 2025, the EU’s Digital Operational Resilience Act (DORA) officially became enforceable. However, despite the looming threat of hefty fines for non-compliance, a recent survey conducted by Censuswide revealed that 43% of UK financial services are likely to miss the compliance deadline.
One may wonder why DORA applies to UK businesses even though the UK is no longer a member of the EU. The answer lies in the fact that many UK-based entities, especially financial institutions and ICT service providers, still operate within the EU or offer services to EU clients. Hence, DORA’s regulations have a significant impact on these organizations, irrespective of direct applicability in the UK.
The implementation of DORA introduces a complex set of cybersecurity standards to entities operating within EU jurisdictions. While many UK entities may be new to these standards, some already align with similar regulations such as SS2/21 and ISO27001. Furthermore, the UK government has also introduced specific policies, like the “Operational resilience: Critical third parties to the UK financial sector” policy statement, which aims for interoperability with DORA regulations.
Despite having a two-year lead time to prepare for DORA, the Censuswide survey highlighted several barriers hindering UK banks from meeting the compliance deadline. These include a lack of prioritization within the organization, tight timelines for compliance, insufficient skills and knowledge, and limited visibility over supply chains and third-party partners.
Dr. Ilia Kolochenko, CEO of ImmuniWeb, drew parallels between the adoption of DORA and the introduction of GDPR in 2018. He emphasized that many financial institutions may adopt a wait-and-see approach regarding enforcement actions against non-compliant companies. Kolochenko also acknowledged the challenges faced by financial organizations in achieving DORA compliance, citing factors like privileged third-party access, complex data storage environments, and unreliable AI tools.
As the deadline for DORA compliance has passed, attention now shifts to the European Supervisory Authorities (ESAs) who have the power to enforce fines for non-compliance. The road ahead may involve gradual improvements in compliance standards, with financial institutions weighing the costs against the benefits of meeting DORA requirements.
In conclusion, while the implementation of DORA poses challenges for UK financial services, it underscores the importance of cybersecurity resilience in an increasingly digital world. As organizations strive to meet the stringent standards set by DORA, the focus remains on enhancing operational resilience and safeguarding critical business data in the face of evolving cyber threats.
The opinions expressed in this article belong to the individual contributors and may not necessarily reflect the views of Information Security Buzz.