Corporate and specialist services emerged as the most prepared for DORA.
Financially regulated sub-sectors in the UK are failing to adequately safeguard systems against cyber threats.
Around two months since the DORA regulation came into force, analysis of 250 businesses in nine financially regulated sub-sectors, looking at factors included FCA fines and complaints, ICO complaints and the number of cybersecurity incidents reported, and the number of firms registered to Cyber Essentials Plus, research has found a “severe gap in cybersecurity resilience.”
This includes 37 percent of the total complaints reported to the Information Commissioner’s Office being cybersecurity incidents, and three-quarters of the firms analysed have operations in the EU, yet only 16 percent are registered to Cyber Essentials Plus.
Among the sub-sectors analysed, corporate and specialist services emerged as the most prepared for DORA, with a maximum index score of 105. The sub-sector reported just two cybersecurity incidents and no FCA fines or complaints over the past two years, while also leading in Cyber Essentials Plus adoption - with triple the number of registered firms compared to the least prepared sub-sector.
Conversely, banking and lending scored just 37 out of 105, marking these firms most at risk of non-compliance with DORA. Between 2023 and 2024, firms in this sub-sector incurred seven FCA fines totalling over £96 million, highlighting a serious pattern of non-compliance.
Vivek Dodd, CEO at Skillcast, said: “Compliance with DORA should be a priority for any business with operations in the EU, not just those in financially regulated sub-sectors. Firms must be looking to strengthen risk management and cybersecurity resilience - not only to avoid financial and reputational penalties but to safeguard their assets in the long term.”
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
