On January 17TH, 2025, the EU’s Digital Operational Resilience Act (DORA) came into effect. However, a recent survey of 200 UK CISOs from Censuswide found that 43% of the UK financial services industry will miss this compliance deadline despite facing the possibility of fines of up to 1% of global daily turnover for up to six months.
Make it Make Sense
A key question to answer first is, if the UK is no longer a member of the EU, why does DORA even apply to UK businesses? Well, although DORA isn’t directly applicable in the UK, it is still relevant for many UK-based entities, particularly financial firms and ICT service providers that offer services in the EU, either directly or through their group.
DORA is a complex and comprehensive piece of cybersecurity regulation that impacts all entities operating within EU jurisdictions. It will affect thousands of UK entities, many of whom will be subject to these standards for the first time. However, it is important to note that many others may already be somewhat compliant (or working toward) similar regulations and standards that line up with DORA through SS2/21 and ISO27001.
In the UK, on 1 January 2025, the Policy Statement “Operational resilience: Critical third parties to the UK financial sector” and its proposed requirements were established in rules and accompanying expectations for critical third parties (CTPs). Respondents to the original proposal “welcomed the regulators’ commitment to promoting interoperability with regimes such as DORA. It is also stated in the policy itself that where the proposals do differ from DORA, “they do not do so in a way that could reasonably be expected to impact UK competitiveness and growth detrimentally.”
Y Tho
So, if it is acknowledged in the UK how important adherence to DORA is, it has been welcomed by the organizations themselves, and there are UK-specific policies with interoperability to the DORA legislation in mind; why have so many UK banks missed the January deadline?
Despite having had two years to prepare for the legislation, and 88% of respondents to the Censuswide survey saying DORA will be beneficial to them, the survey revealed what barriers to entry respondents felt were impacting adherence.
- A lack of prioritization from the wider organization – 28%
- A short timeline to becoming compliant – 25%
- A lack of skills/knowledge – 24%
- A lack of visibility over supply chain/third-party partners – 24%
Expert Analysis
Dr. Ilia Kolochenko, CEO of ImmuniWeb and a Fellow at the British Computer Society (BCS), has likened the introduction of DORA in 2025 to the adoption of GDPR in 2018. Kolochenko points out how, at that time, “effectively no single large company or financial institution was fully compliant with numerous GDRP requirements.” He envisages “progressive but slow improvements on both sides of the Atlantic” and suggests that some financial institutions may wait and see the details of the first wave of enforcement actions against non-compliant companies to see how a potential compares against implementation costs.
Whilst highlighting how some companies may well take a dubious position when it comes to evaluating cost versus benefits, he does sympathize with the struggles financial organizations face with this issue. He identifies that “Today, with numerous third parties having privileged access to critical business data, multicloud or hybrid data storage environments, vulnerable mobile and smart/IoT devices utilized for business purposes, and the rapid proliferation of untested or unreliable AI tools, DORA compliance may be either cost prohibitive or simply impossible from a technical viewpoint.”
As difficult and inconvenient as the new standards may be, the deadline has passed, and DORA is in effect. Eyes will now turn to The European Supervisory Authorities (ESAs), who have the authority to impose fines for non-compliance.
Adam Parlett is a cybersecurity marketing professional who has been working as a project manager at Bora for over two years. A Sociology graduate from the University of York, Adam enjoys the challenge of finding new and interesting ways to engage audiences with complex Cybersecurity ideas and products.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.