More than four-in-ten UK financial services firms look set to miss the deadline for compliance with the new Digital Operational Resilience Act (DORA) tomorrow.
Companies failing to comply with the regulations could face fines of up to 2% of worldwide daily turnover for as long as six months.
However, while nearly nine-in-ten UK CISOs and senior security decision makers believe that DORA will be beneficial, 43% said they won’t be compliant for at least three months.
"The regulatory landscape in the EU is heavily congested with several overlapping standards and laws now in effect," said Richard Lindsay, principal advisory consultant at Orange Cyberdefense, which commissioned the research.
"There is a lot to navigate, and we’re increasingly seeing businesses taking a more reactive approach to compliance requirements once the threat of reprisals becomes tangible."
"However, remaining non-compliant could have severe ramifications, with fines of up to 2% of global annual turnover and the potential of fines of over €1m for individual senior leadership."
The challenges in implementation varied from organization to organization, but included a lack of prioritization, the short timeline involved, a lack of skills, and a lack of visibility over supply chain or third-party partners, each cited by around a quarter of respondents.
To deal with these issues, virtually all said they planned to call on external support.
Budgetary constraints weren't highlighted as an issue, with 84% of respondents saying they had allocated funds ahead of the deadline. Around three-quarters have reallocated funding from other business areas, and around half have pulled in staff members from other projects.
In the longer term, though, two-thirds of CISOs and senior security decision makers believe that DORA will significantly increase cybersecurity costs.
The new regulations include more than 500 individual requirements, with businesses expected to implement essential protection, detection, containment, recovery, and repair measures.
RELATED WHITEPAPER
Rules contained in the legislation place a strong emphasis on ICT risk management, incident reporting, operational resilience testing, and oversight of ICT third-party risks.
PwC has estimated that more than 22,200 financial bodies and IT service providers fall under the scope of the act. However, the EU is expected to take a targeted approach to any breaches, focusing on larger players and significant breaches.
-
Microsoft just hit a major milestone in its ‘zero waste’ strategyNews Microsoft says it's outstripping its zero waste targets, recording a 90.9% reuse and recycling rate for servers and components in 2024.
-
Dell names Lisa Ergun as new Client Solutions Group channel lead for the UKNews Dell Technologies has announced the appointment of Lisa Ergun as its new Client Solutions Group (CSG) channel lead for the UK.
-
Public sector workers are sweating over AI security threatsNews Nearly a third of public sector IT professionals are seriously concerned about the security dangers of AI.
-
‘Europe could do it, but it's chosen not to do it’: Eric Schmidt thinks EU regulation will stifle AI innovation – but Britain has a huge opportunityNews Former Google CEO Eric Schmidt believes EU AI regulation is hampering innovation in the region and placing enterprises at a disadvantage.
-
We spoke to over 700 IT leaders to hear their tech strategy plans for 2025 – here's what we learnedNews ITPro's Future Focus report shows AI, cybersecurity, and cloud remain top of the priority list for IT leaders in 2025.
-
A big enforcement deadline for the EU AI Act just passed – here's what you need to knowNews The first set of compliance deadlines for the EU AI Act passed on the 2nd of February, and enterprises are urged to ramp up preparations for future deadlines.
-
A CSO’s perspective on DORA compliance and where to go from hereAnalysis With DORA coming into force, here’s what security leaders should know about pain points and planning
-
CISOs are working harder than ever, but their pay isn’t keeping paceNews Many CISOs are being asked to take on more responsibility for domains that would normally lie outside of their remit
-
Gerald Beuchelt joins Acronis as CISONews The former Sprinklr and LogMeIn CISO will spearhead Acronis’ global information security strategy
-
Why technology, cyber, and privacy risk management are critical for digital transformationWhitepaper Reduce costs while delivering seamless experiences by connecting your teams, systems, and digital workflows on a single platform
