The deadline for implementing the EU’s DORA has expired. How far have financial service providers come? Not very far, according to a recent survey.
Beginning Friday, Jan. 17, all EU financial institutions are now required to operate in compliance with the Digital Operational Resilience Act (DORA). The EU directive aims to increase cybersecurity in the financial industry. However, studies show that many companies are still struggling with implementation.
According to a November 2024 survey from metafinanz, the average level of implementation for DORA compliance at midsize financial companies was around 45%. At the time, none of the organizations surveyed expected to be fully compliant by the Jan. 17 deadline. Anticipated compliance levels for the deadline ranged from 30% to 90%, with the average company expecting to have addressed around two-thirds of the requirements by Jan. 17.
The biggest challenges
The authors of the study attributed this in part to the late publication of the technical standards, in addition to the extensive detail of the regulations. According to the German Association of Insurers (GDV), some technical details of DORA remain unclear, in particular concerning management of third-party risks. Under DORA, financial companies must manage both internal information and communication technology (ICT) risks and risks from third-party providers and their subcontractors.
“For contract management with service providers, the outstanding specifications for subcontracting must be finalized quickly,” says Jörg Asmussen, general manager of the GVD.
Ron Kneffel, chairman of the board of the CISO Alliance, also confirmed to CSO that many companies have not yet completed the necessary measures to be fully DORA compliant. “The biggest hurdles continue to be renegotiating existing contracts with IT service providers and partners, as well as creating and maintaining detailed information registers,” Kneffel explains.
“In addition, integrating new regulatory requirements into existing processes is a major challenge, especially without disrupting ongoing business operations,” he adds. The estimated costs for implementation will vary. “The expenses depend on the complexity of the requirements, which will be in the medium to upper range.
Other experts have suggested that DORA could also further strain the cybersecurity skills gap.
“Smaller organizations may need to rely more heavily on external service providers for testing, monitoring, and compliance management,” Julian Brownlow Davies, global vice president of advanced services at Bugcrowd, recently told CSO. “While this can reduce the internal staffing burden, it adds recurring costs and potential risks associated with vendor reliance.”
As the insurance industry magazine Versicherungswirtschaft Heute reports, DORA can be very expensive if implementation is not halfway finished by Jan. 17. In Germany, for example, the amount of the fine depends on actions taken by financial regulator BaFin.
Despite the challenges, Kneffel sees a glimmer of hope in the increased use of IT-supported solutions and the outsourcing of IT security services. “Specialized tools and service providers are already being used, but the possibilities of artificial intelligence are also still being evaluated. These technologies offer enormous potential to accelerate and optimize compliance processes, even if their implementation requires additional resources,” he says.
The central task of CISOs is not only to meet regulatory requirements, but also to sustainably strengthen the digital resilience of the organization, emphasizes the chairman of the CISO Alliance. “The remaining tasks must be prioritized, closely coordinated between departments and completed with a clear focus on long-term resilience,” Kneffel says.
He adds: “At the same time, we have to think beyond the deadline. The requirements should be continuously reviewed and adjusted in order to ensure the long-term safety and stability of IT security.”
