A recent survey conducted by Veeam Software has highlighted significant challenges faced by financial institutions in Europe regarding compliance with the Digital Operational Resilience Act (DORA). Despite the regulations coming into effect in January 2025, an overwhelming 96% of financial services firms reported that they do not feel fully resilient against digital disruptions.
DORA establishes rigorous standards for how financial firms manage IT risks, respond to cyber incidents, and ensure operational continuity. These rules apply to a broad spectrum of entities within the European Union, including banks, insurers, fintech companies, and investment platforms. The act mandates that organizations test their systems, report incidents, and evaluate third-party vendors.
The findings emerged from a study involving over 400 senior IT and compliance leaders from the UK, France, Germany, and the Netherlands. This group included firms in the UK that operate within the EU, thus falling under DORA’s jurisdiction. While nearly all respondents acknowledged understanding the necessary steps for compliance, many expressed concerns about increased pressures.
In detail, 41% of participants indicated heightened stress on IT and security teams, while 37% reported rising costs from ICT vendors. Furthermore, 22% suggested that the growing complexity of regulations is impeding innovation and competition. Alarmingly, 20% of the respondents have yet to secure the budget required to meet DORA’s extensive demands.
Challenges Ahead for Compliance
Edwin Weijdema, Field Chief Technology Officer for EMEA at Veeam, commented on the findings, stating, “It’s promising to see that most organisations have embraced and feel confident about meeting DORA’s requirements. Achieving compliance is an important first step in ensuring your organisation is resilient, but given today’s complex threat landscape, there’s more to do.” He emphasized the ongoing journey towards operational resilience and the critical need for prioritizing data resilience for long-term success.
The survey also revealed that many organizations are still making efforts to meet key DORA requirements. Specifically, 24% have not established recovery and continuity testing, while the same percentage has not implemented incident reporting. Additionally, 23% have not conducted digital operational resilience testing, and 21% have not ensured backup integrity and secure data recovery.
Third-party risk management was identified as the most challenging DORA requirement, with 34% of respondents citing it as the hardest to implement. Andre Troskie, Field Chief Information Security Officer for EMEA at Veeam, noted, “It’s interesting to see that third-party oversight has emerged as a particular pain point for organisations. Over a third named it the most challenging to implement, and many called for additional guidance.”
The emphasis on assessing resilience holistically aligns with DORA’s intent to enhance operational robustness across the financial sector. Earlier this year, Veeam, in collaboration with McKinsey, introduced a Data Resilience Maturity Model (DRMM) to assist organizations in evaluating and improving their data resilience.
As financial institutions navigate these challenges, the findings from Veeam’s survey underline not only the urgency for compliance but also the broader implications for operational readiness in an increasingly complex digital landscape. The need for ongoing assessment and enhancement of resilience strategies will be paramount as organizations strive to meet regulatory expectations while fostering innovation.
