More than four-in-ten UK financial services firms look set to miss the deadline for compliance with the new Digital Operational Resilience Act (DORA) tomorrow.
Companies failing to comply with the regulations could face fines of up to 2% of worldwide daily turnover for as long as six months.
However, while nearly nine-in-ten UK CISOs and senior security decision makers believe that DORA will be beneficial, 43% said they won’t be compliant for at least three months.
"The regulatory landscape in the EU is heavily congested with several overlapping standards and laws now in effect," said Richard Lindsay, principal advisory consultant at Orange Cyberdefense, which commissioned the research.
"There is a lot to navigate, and we’re increasingly seeing businesses taking a more reactive approach to compliance requirements once the threat of reprisals becomes tangible."
"However, remaining non-compliant could have severe ramifications, with fines of up to 2% of global annual turnover and the potential of fines of over €1m for individual senior leadership."
The challenges in implementation varied from organization to organization, but included a lack of prioritization, the short timeline involved, a lack of skills, and a lack of visibility over supply chain or third-party partners, each cited by around a quarter of respondents.
To deal with these issues, virtually all said they planned to call on external support.
Budgetary constraints weren't highlighted as an issue, with 84% of respondents saying they had allocated funds ahead of the deadline. Around three-quarters have reallocated funding from other business areas, and around half have pulled in staff members from other projects.
In the longer term, though, two-thirds of CISOs and senior security decision makers believe that DORA will significantly increase cybersecurity costs.
The new regulations include more than 500 individual requirements, with businesses expected to implement essential protection, detection, containment, recovery, and repair measures.
Rules contained in the legislation place a strong emphasis on ICT risk management, incident reporting, operational resilience testing, and oversight of ICT third-party risks.
PwC has estimated that more than 22,200 financial bodies and IT service providers fall under the scope of the act. However, the EU is expected to take a targeted approach to any breaches, focusing on larger players and significant breaches.
