Only a few months since the discussion was on compliance with the NIS2 directive, a new regulation is upon us.

Today is the deadline for compliance with the Digital Operational Resilience Act (DORA), aimed at strengthening the resilience of the financial sector against cyber risks. DORA has actually been in place since 16th January 2023, and today marks the end of the implementation period. From today, financial entities are expected to be compliant with the regulation.

Operational Resilience

Part of the EU's broader strategy to enhance cybersecurity and operational resilience in the financial sector, DORA encourages best practice in risk management and implementation of frameworks, as well as reporting significant incidents, and having strict oversight on third-party providers.

According to its regulator - the European Insurance and Occupational Pensions Authority - DORA is needed as the financial sector is increasingly dependent on technology, and on tech companies to deliver financial services. This makes financial entities vulnerable to cyber-attacks or incidents and when not managed properly, risks can lead to disruptions of financial services offered across borders.

This in turn, can have an impact on other companies, sectors and even on the rest of the economy, which underlines the importance of the digital operational resilience of the financial sector.

Not Compliant?

As the necessity to comply arrives, should businesses be worried if they have not achieved compliance? Mitun Zavery, vice president of Solution Architecture at Sonatype, said that if GDPR taught us anything, it was that last-minute compliance efforts lead to headaches and half-measures. 

“Rather than a burden, UK organizations should see DORA as an opportunity to streamline systems and processes by leveraging automation, reinforcing their software supply chains, and adopting a proactive approach to risk mitigation and vulnerability management,” Zavery said. 

Research released this week by Orange Cyberdefense found that 43 percent of those surveyed will not be compliant with DORA for at least three months, with its survey of 200 UK CISOs determining 28 percent have to deal with a lack of prioritisation from their wider organisation. A quarter also cited a short timeline to becoming compliant.

Other research found that DORA compliance could cost over €1 million, and that 78 percent of respondents reallocated budget from other business areas to gain compliance.

Point of Concern

With compliance now upon us, and financial penalties amounting up to two percent of worldwide daily turnover for up to six months, we wanted to know if this has been a point of concern for businesses.

Brian Honan, CEO of BH Consulting, says he has assisted several organisations to align with the requirements of DORA and as the deadline for the Act approaches, there has been a significant increase in organisations enquiring about how they can align with the DORA requirements. “The enquiries we've dealt with come from organisations directly impacted by DORA, but also by those organisations in the supply chain of regulated entities,” he said.

Meanwhile Jonathan Armstrong, head of legal, UK and Ireland at Punter Southall, says there has been some advice sought, but not as much as it would have expected. He says that many people are struggling with the pace of regulatory change at the moment, and DORA is being added to the list for many.

This leads to a good point: is there too much regulatory change, so soon after NIS2? He says after doing tech law and compliance for 30 years, this is the year he was most worried about in terms of burden for businesses - even those of us who do this full time are struggling to keep up, and he knows lawmakers are struggling too.

Challenge or Burden

So is this providing too much of a challenge or burden for businesses? Armstrong agrees, saying we need to look at what this legislation is trying to achieve.

“Often businesses are struggling to recruit and retain the right people. Resources are finite even in the largest and best organisations.” Echoing the previous research, Armstrong said he knows of some businesses taking resources away from the front line of fighting cyber threats to do DORA and NIS2 compliance instead. “That can’t have been the intention of the legislation – we should be trying to make organisations more robust to threats to national infrastructure and financial services and my concern is that because of the way in which both sets of legislation have been drafted and implemented, and the resources required, the new regime will have the opposite effect.”

Honan says DORA is not redundant, as it sets a focused and prescriptive regulatory framework specifically for entities within the financial sector, which is crucial given the unique challenges they face.

He said: “Unlike more general regulations, DORA emphasises the resilience of critical services, ensuring organisations can operate and recover in the face of significant disruptions, including cyber-attacks. By strengthening resilience, organisations are not only complying with regulations but also building long-term trust and stability within their operations and across their supply chains.

“In a world where supply chains are deeply interconnected, DORA ensures that not only individual organisations but also their suppliers and partners are resilient to disruption. This is vital in today’s interconnected financial ecosystem, where a single weak link can have far-reaching consequences.”

What about the burden on businesses, with compliance to another framework required? Honan says implementing DORA will undoubtedly require effort and resources, but says it is not an unnecessary burden.

“On the contrary, it addresses a long-standing gap in how organisations approach cybersecurity and operational resilience,” he says. “Too often in the past we’ve seen organisations make ‘pinkie promises’ of commitment to cybersecurity and resilience that go unfulfilled, resulting in dire consequences for their customers. DORA changes that by creating a clear, enforceable framework that ensures organisations take tangible steps to bolster their defences.”

Fine Time

Of course there is the concern of failing to comply with DORA, and Forrester senior analyst Madelein van der Hout pointed out that organisations that fail to comply with the DORA by today risk facing a range of significant and far-reaching consequences.

“Non-compliant organisations can incur fines up to two percent of their global annual turnover or €10 million—whichever is higher,” she said. “Critical third-party ICT providers may face fines as high as €5 million. Organisations may also face one percent of their daily global turnover as a fine for each day of non-compliance.”

She also said that regulatory authorities can limit or suspend non-compliant organisations' business activities until they achieve full compliance. In severe cases, non-compliance can result in a temporary suspension of operations, effectively halting business. “Compliance is not just about avoiding fines—it is an investment in long-term operational resilience and trust.”

Once again we look at the deadline for compliance with another regulatory framework. Like the others though, this is not to be dismissed as hype, and even if you’re late to meeting the compliance level you should be at or making assessment, it’s not too late to make that start.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.