Security and compliance teams had a busy start to 2025. Sandwiched between the deadline for member states to implement NIS 2 into local law and the start of the new PCI DSS 4.0 regime came DORA: the Digital and Operational Resilience Act. From January 17, it was expected to sweep over 22,000 financial services firms and their ICT suppliers operating in the EU into its scope.

There’s just one issue. According to new research, 96% of European financial services firms still don’t believe their digital resilience is sufficient to meet DORA’s exacting requirements. And many IT and security teams are feeling overwhelmed by the extra workload. This is where ISO 27001 compliance could be useful.

A New Era of Financial Resilience

Cyber incidents over the past two decades have caused $12bn in direct losses to global financial firms, according to the IMF. This isn’t just a financial risk; it could present a systemic risk to the entirety of what serves as critical national infrastructure. DORA is the European Commission’s answer: a new regulation designed to ensure that financial firms – and crucially their suppliers – have the resilience to continue operating even through periods of severe disruption.

It does this by at once harmonising regulations and raising the bar for in-scope security and compliance teams. There are five key pillars:

  1. ICT Risk Management: Robust policies to identify, assess, and mitigate ICT risks.
  2. Incident Reporting: Timely and standardised reporting of significant ICT-related incidents to relevant authorities.
  3. Digital Resilience Testing: Regular testing to evaluate an organisation’s preparedness for disruptions.
  4. Third-Party Risk Management: Ensuring financial institutions monitor and manage risks associated with their supply chain.
  5. Information Sharing: Encouraging threat intelligence sharing within the industry to improve collective resilience.

Some Way to Go

Unfortunately, things aren’t going quite to plan, if the results of a new Veeam survey are to be believed. The firm polled over 400 IT/compliance decision makers in the UK, France, Germany, and the Netherlands. The resulting report finds that 94% now rank DORA a higher priority than they did a month before the deadline, and the same share are clear on what steps they need to take. Yet the vast majority are still not up to DORA standards of resilience.

Veeam claims that many firms don’t have the budget (20%) for DORA compliance, and in some cases are dealing with higher supplier costs (37%) passed on by their ICT partners. Two-fifths (41%) also report increased stress and pressure on their IT and security teams.

Just half have integrated DORA’s requirements into their broader resilience programs. Veeam regional VP of UK & Ireland, Drew Gardner, believes many of these compliance gaps and delays may be down to third-party liabilities.

“With so many functions covered by these third parties, many organisations will have assumed their products adhered to DORA, but that’s simply not the case,” he tells ISMS.online. “With so many agreements lacking shared responsibility models, an organisation could have assumed compliance fell under the umbrella of their provider, while the provider believed the opposite.”

Where They’re Failing

Data from the report backs Gardner’s view. A third (34%) of those polled claim the hardest part of compliance is third-party risk oversight. A fifth have yet to even attempt it.

“The sheer number of third-party providers that the average financial services organisation works with is likely well into the dozens, and most will operate under the black box model – giving little insight into their security measures,” says Gardner.

“For those still to establish this third-party oversight, it’ll be no small task to unravel this, and organisations can’t afford to delay.”

Other areas that many organisations haven’t yet begun to tackle include:

  • Recovery and continuity testing (24%)
  • Incident reporting (24%)
  • Selecting a DORA implementation lead (24%)
  • Digital operational resilience testing (23%)
  • Backup integrity and secure data recovery (21%)

Getting Back on Track

With so much still to do, as well as manage other priorities, DORA compliance can seem like a daunting task. However, Gardner argues that implementing best practice standards and frameworks could “significantly ease” the compliance burden.

“With ISO 27001 in particular, organisations can reduce duplication of effort and streamline compliance across multiple regulations, saving both time and resources,” he explains.

“Its structured approach to risk management means that organisations can identify and mitigate potential security risks in a systematic manner, rather than fighting fires on multiple fronts simultaneously. This enhances overall security posture and provides a clear and documented process for demonstrating compliance to auditors and regulators.”

James Hughes, enterprise CTO at Rubrik, urges organisations to bake DORA compliance into day-to-day processes rather than treat it as a one-off project.

“Six months in, DORA is doing more than just adding to the compliance burden; it’s forcing real operational change. But there’s a danger it becomes another box-ticking exercise if CISOs don’t change their mindset,” he tells ISMS.online. “It’s not about passing audits, it’s about being able to withstand and recover from real attacks, with minimal business downtime.”

Over a fifth (22%) of organisations polled by Veeam argue that DORA’s design could have been improved to boost compliance rates. They’ve called for simplification, clarification, and more detailed guidance on how to manage third-party risk. That may or may not be forthcoming from the regulators. In the meantime, it’s not too late to start plugging the gaps highlighted by the study, Hughes argues.

“Start by mapping your critical ICT assets, rehearsing incident response and assessing supplier risk,” he concludes. “But ultimately, it’s time to ramp things up – attackers won’t wait for your paperwork to catch up.”