It’s now six months since the EU’s Digital Operational Resilience Act (DORA) came into effect, but many financial organisations are still struggling to comply. According to a recent study by Veeam Software, 96% of EMEA financial firms think they are falling short of DORA’s resilience requirement.

This is despite the fact that 94% of organisations now rank DORA higher in their organisational priorities than they did the month before the deadline.

Barriers to compliance include pressure on IT and security teams, and a lack of budget. Of those surveyed, 22% said the pure volume of digital regulation is stifling innovation. Third party risk oversight was cited by 34% as the hardest requirement to implement.

Taking this into account, how seriously is DORA compliance being taken, and how much is it a priority for firms affected by the regulation?

A Key Priority

The aim of DORA is to ensure all financial institutions can withstand, respond to and recover from incidents such as outages and cyber-attacks.

It creates a need for resilience, which the vast majority of financial firms now classify as “a priority”, says Flick March, Accenture’s EMEA strategy lead. However, while intent is “strong”, there is “still some progress to made”, particularly around data resilience, she says.

The ICT risk management requirement is causing problems for many firms, especially smaller companies that may lack resources, says March. She cites the examples of DORA Articles 5 to 16, which require “a fully formalised governance structure, with documented policies, controls and board-level oversight”.

This is “a substantial undertaking” for firms when they are “building from the ground up”, she points out. For example, the requirements mandate that major incidents are reported within four hours. “Meeting that standard demands advanced automation, real-time coordination across security, legal, and compliance teams and a mature level of infrastructure.”

The risk posed by third party suppliers is another key challenge financial firms are struggling to overcome. A high level of commitment within the financial sector to comply with DORA is “dangerously undermined” by a “lack of seriousness from their critical third party suppliers”, says Ivan Milenkovic, vice president risk technology EMEA, Qualys.

“There is a widespread issue with technology vendors who operate under the misconception that because they are not financial entities, DORA is not their problem,” he warns.

Technical Complexity

Then there’s the overall technical complexity of complying with a new set of regulations, says Jeff Watkins, chief technology officer at CreateFuture. “The DORA is over 600 pages long and has over 1,000 specific requirements. As this is a standard, there’s also a typical level of ambiguity in definitions of things such as ‘critical or important functions’.”

Indeed, the requirement to understand DORA and implement the requisite controls and changes is “simply beyond most existing teams”, Watkins says. “This then requires expensive external consultants.”

As the regulatory landscape evolves, further complexity is added by the need to navigate the overlap between multiple resilience frameworks, says March. “Financial institutions are not only complying with DORA, but also with Network and Information Systems Directive (NIS2), the Critical Entities Resilience Directive, the Financial Data Access Regulation, and longstanding regulations such as the General Data Protection Regulation (GDPR). Each has its own requirements, timelines and focus areas – and this can lead to fragmentation.”

Another barrier to the effective implementation of DORA centres around the continued use of legacy infrastructure, says Daniel Walker, principal consultant at Bridewell. “DORA does not specify requirements around legacy technology. However, it does stipulate that risks associated with critical or important functions should be risk assessed, and firms must demonstrate that they are resilient and secure.”

Overcoming DORA Challenges

Experts say it is important that issues with DORA compliance are addressed quickly to avoid more serious problems later on.

Over time, the challenges linked to DORA compliance “will only increase” if organisations fail to take “a joined-up, sustainable approach” to the regulation, Walker says. “Potential new business may hesitate to engage with firms that cannot demonstrate strong resilience capabilities, given that the entirety of a supply chain is now culpable for failings in this area.”

To overcome the issues and boost compliance, resilience and security need to be treated as “central engineering principles from the beginning”, says Nicolette Carklin, technical specialist at SecureFlag. “That means incorporating threat modelling early in design, automating chaos testing and recovery drills, adopting secure coding practices, and validating resilience as part of development.”

To address third party risk, organisations need better visibility into vendor dependencies, more frequent reviews and shared standards, according to Carklin.

Compliance with DORA could involve taking a hard line with suppliers. In order to resolve contract renewal conflicts, organisations must “wield their commercial leverage”, Milenkovic says. “This involves embedding specific, non-negotiable DORA clauses including audit rights and liability terms into all contracts. The industry as a whole must be prepared to replace non-compliant suppliers, sending a clear market signal that operational resilience is a mandatory cost of doing business, not an optional extra.”

At an executive level, the first step is to treat DORA as “a strategic priority”, allocating resources, embedding it into enterprise risk agendas, and ensuring board-level oversight, March says. From there, organisations must build on existing frameworks, such as GDPR and NIS2, to “reduce duplication and harmonise controls across regulatory regimes”.

Given the breadth of DORA, it helps to have a clear roadmap broken down into phases, says Walker. “Each phase should be mapped back to identified risks, which can be used as a prioritisation mechanism.”

Creating a culture of resilience and information sharing will improve compliance activities and help avoid DORA becoming a “tick-box exercise”, Watkins advises. “Ideally, this information sharing would eventually evolve to become cross-industry – which can only be a good thing for cyber resilience.”

Kate O'Flaherty Cybersecurity and privacy journalist