Six months after the EU’s Digital Operational Resilience Act (DORA) came into force, financial services organizations across EMEA are encountering unanticipated challenges in their journey towards full compliance. A recent survey by Veeam Software highlights a concerning 96% of firms feel their data resilience capabilities remain inadequate, despite prioritizing DORA within their strategic initiatives.
DORA, introduced by the EU in January 2025, aims to bolster the financial sector’s defenses against cyber threats and ICT disruptions. While most organizations have recognized its significance, achieving compliance is proving more complex than initially anticipated.
While many companies have made DORA a top organizational priority, with 94% ranking it higher than prior to the deadline, only half have successfully integrated its requirements into their broader resilience programs. A significant 39% still regard compliance as a primary concern.
Despite this awareness of the route to compliance, there are unexpected issues:
- 41% of firms report heightened pressures on IT and security teams.
- 37% experience increased costs from ICT vendors.
- 22% view digital regulation as a barrier to innovation.
- 20% struggle to secure the budget necessary for compliance.
Yet, as Edwin Weijdema from Veeam points out, “achieving compliance is only the first step.” Despite organizations embracing the guidelines, the path to comprehensive resilience is still ongoing.
Despite widespread acknowledgment of DORA's importance:
- 24% have not initiated recovery and continuity testing.
- 24% are yet to implement incident reporting methods.
- 23% have not conducted digital operational resilience tests.
Third-party risk oversight is the most daunting requirement, with 34% finding it by far the hardest to implement, potentially due to limited visibility and the vast scale of third-party networks.
Andre Troskie, from Veeam, notes that this oversight issue suggests a shift towards a more holistic approach to data resilience. Troskie emphasizes, 'It’s interesting to see that third-party oversight has emerged as a particular pain point for organizations... an often-overlooked facet of data resilience, it’s promising to see that organizations are interrogating their defences to this degree – which is exactly what it was designed to do.”
In acknowledgment of ongoing challenges, Veeam, alongside McKinsey, has introduced the Data Resilience Maturity Model (DRMM). Built on research and insights from 500+ IT, security and operations leaders, this framework offers a comprehensive strategy, encouraging organizations to blend IT, security, and compliance into a unified approach towards resilience.
