EU’s DORA could further strain cybersecurity skills gap

Efforts spent in achieving compliance with the EU’s Digital Operational Resilience Act (DORA) are likely to pile further pressure on the already strained cybersecurity skills market.

DORA, which comes into full effect today, aims to improve the cybersecurity and operational resilience of financial institutions in the EU, including banks, insurance companies, and investment firms.

The regulations require financial sector firms to establish a comprehensive framework for ICT (information and communications technology) risk management.

Achieving DORA compliance requires implementing essential protection, detection, containment, recovery, and repair measures. Financial sector organisations also need to apply clear rules for ICT incident reporting, operational resilience testing, and oversight of ICT third-party risks.

Bridging the skills gap

Securing DORA compliance requires expertise in areas like ICT risk management, incident response, and resilience testing. These are highly specialised skills already in short supply across Europe and beyond.

Smaller firms in particular may struggle to attract and retain sufficiently skilled staff, according to Julian Brownlow Davies, global vice president of advanced services at bug bounty platform vendor Bugcrowd.

“Smaller organisations may need to rely more heavily on external service providers for testing, monitoring, and compliance management,” Davies told CSO. “While this can reduce the internal staffing burden, it adds recurring costs and potential risks associated with vendor reliance.”

Even prior to DORA, CISOs have been increasingly turning to security services to help relieve skills gaps. DORA will likely accelerate that trend.

Simon Onyons, managing director in the cybersecurity practice at FTI Consulting, noted that DORA incorporates a proportionality principle allowing “implementation to be simplified based on the organisation’s scale, nature, and complexity.” This tailored approach should make it less expensive (in total cost terms) for smaller financial sector firms to achieve compliance than their multinational counterparts.

Workforce pressures

The World Economic Forum’s 2025 Global Security Outlook found the cyber skills gap has increased 8% since 2024.

Finding the right skills to implement DORA compliance in an already strained talent market is likely to be challenging, other experts quizzed by CSO agreed.

“It’s clear that already the demand for skilled cybersecurity professionals far exceeds supply,” commented Suzanne Button, EMEA field CTO at data analytics vendor Elastic. “These new requirements could worsen the crunch, leaving smaller businesses at a serious disadvantage in the competition for talent.”

Pierre Noel, field CISO of Expel, agreed: “As the demand for cybersecurity professionals far outweighs the supply, the result is a big game of musical chairs — with poaching all around.”

Complying with the DORA regulation involves increased spending on cybersecurity infrastructure and personnel to establish and maintain the mandated ICT risk management framework. There will also be ongoing costs associated with regular digital operational resilience testing, including vulnerability assessments and penetration testing.

Safi Raza, senior director of cybersecurity at Fusion Risk Management, advised that organisations can apply a combination of employee training, outsourcing to managed services, and upskilling to ease the skills burden of achieving and maintaining compliance with DORA.

Sabeen Malik, vice president of global government affairs and public policy at Rapid7, disagreed with the general consensus that DORA will further strain cybersecurity workforce resources.

“DORA itself will not worsen the cyber skills gap since many financial companies that will be complying with DORA will also be subject to NIS2 and the Cyber Resilience Act,” Malik argued. “As a result, it will be the same teams that will be preparing for the newer rules and regulations.”

Malik added that AI can also provide help “because it will help free up team members from some of the more repetitive tasks to focus on newer implementations.”

Compliance with NIS2, which entered into force in October 2024, has had significant impact on resource constraints and skills gaps, according to a survey conducted by software company Veeam, which found that 95% of NIS2-impacted companies had to divert funds from other business areas to cover the costs of NIS2 compliance.

As for DORA, its scope does include entities that may be new to this level of regulatory control, said Andrew Rose, CSO at SoSafe.

“Unregulated entities, such as credit rating agencies and certain types of exempt lending, factoring, and mini-bonds, and those associated with new financial models, such as crypto exchanges and peer-to-peer lending platforms, fall into scope of DORA,” Rose pointed out. “For them, these requirements may mandate a new level of control, together with formalised oversight, requiring spending on both solutions and staffing.”

Compliance shortcomings

A survey commissioned by security consultancy Orange Cyberdefense found that despite two years of preparation time, 43% of the UK financial services industry won’t be compliant with DORA for at least three months.

Barriers to DORA compliance cited by the 200 participants to Orange Cyberdefense’s survey included insufficient prioritisation from the wider organisation (28%) and a lack of skills/knowledge (24%).

Although budgetary constraints aren’t currently ranked highly as a barrier to compliance, 66% of CISOs and senior security decision-makers polled in the survey believe that DORA will significantly increase cybersecurity costs in the long term.

Orange Cyberdefense reckons that tardiness among some companies in achieving DORA compliance arises from a combination of the difficulty in applying overlapping standards, such as NIS2 and DORA, combined with a degree of complacency about early enforcement of new regulations.

“The regulatory landscape in the EU is heavily congested with several overlapping standards and laws now in effect,” said Richard Lindsay, principal advisory consultant at Orange Cyberdefense. “There is a lot to navigate, and we’re increasingly seeing businesses taking a more reactive approach to compliance requirements once the threat of reprisals becomes tangible.”

Lindsay added: “While we would expect some amnesty for non-compliant organisations in the short term, the EU clearly envisions DORA as a regulation with some teeth. Fines of up to 1% of worldwide daily turnover and over €1 million for individual senior leadership are significant. Our advice to DORA stragglers is to get their house in order quickly.”

Crystal Morin, cybersecurity strategist at Sysdig, argued that because finance and banking companies are accustomed to periodic changes in compliance and reporting — and are generally switched on about cybersecurity maturity — achieving compliance with DORA should not be a huge hurdle.

“While small financial companies may not be fully compliant from the start, they should actively pursue full compliance and work closely with federal regulators,” Morin advised.

Other experts argued that effective enforcement will be key if DORA is to achieve its objectives.

“The efficacy of DORA in terms of improving the digital operational resilience of the European finance service industry will very much depend on the quality of the local regulators,” Expel’s Noel said. “If they know their subject and ask the right questions, DORA will yield improvements across the industry. Otherwise, it will be one of the many regulations that failed to induce significant improvement.”

Cost-benefit analysis

The potential cost of a DORA compliance project can vary significantly. A June 2024 report by management consultants McKinsey estimated DORA program costs typically range from €5 million to €15 million for strategy, planning, design, and orchestration alone.

Implementation costs can be five times or more than initial program costs once investments in new technologies and training are made.

The financial costs of achieving compliance with DORA may be challenging — especially for smaller financial institutions, such as small private banks, investment banks, and funds. But industry experts quizzed by CSO said that these costs are more than offset by the long-term benefits of enhanced operational resilience and improved risk management.

“Initial implementation costs will be substantial, especially for smaller firms, relatively speaking,” said Tim Wright, partner and technology lawyer at Fladgate. “The expectation is that the longer-term benefits of enhanced operational resilience and improved risk management will pay back the investment as implementation will lead to a more secure and resilient financial ecosystem.”

A financial sector firm that is more resilient from service outages and cyberattacks is likely to suffer fewer disruptions to their business operations by being less at risk from costly downtime.

“The cost of a significant cybersecurity incident or operational breakdown will almost certainly dwarf any initial compliance outlay,” said Bugcrowd’s Davies. “In the end, spending to meet these requirements isn’t just about box-ticking; it’s a strategic investment in reliability and market trust.”

Sam Peters, chief product officer at compliance specialists ISMS.online, argued that financial sector firms need to balance the immediate costs of achieving compliance with DORA against the longer-term business benefits.

“Enhanced operational resilience reduces downtime and mitigates financial losses associated with cyber incidents,” Peters said. “Meanwhile, improved risk management frameworks can help avoid regulatory fines and maintain customer trust.”

Investments in improving cybersecurity resilience by achieving compliance with DORA may make it easier for financial sector firms to secure cyber-insurance protection at more favourable rates.

“One significant benefit we can see is the potential for lower insurance premiums for firms demonstrating robust cybersecurity postures,” Peters added.