Six months after the introduction of DORA, 96 percent of financial institutions in Europe say their current level of data resilience is insufficient.
DORA, fully known as the Digital Operations Resilience Act, has been in effect since January 2025. Although most surveyed organizations in the financial sector consider the legislation a strategic priority, compliance proves challenging in practice. This is according to a study by Censuswide commissioned by Veeam.
read also
Veeam survey: two in three companies fail to meet NIS2 deadline
High on the Agenda
94 percent of respondents indicate that DORA is higher on the agenda today than before the deadline. Four out of ten organizations even consider it a top priority within their digital resilience strategy. However, implementation often lags behind.
In addition to progress, the study also highlights some negative effects of the new regulations. For instance, 41 percent of respondents report increased workload for IT and security teams. 37 percent experience rising costs due to higher invoices from ICT suppliers.
Furthermore, one in five states that the necessary budget is still lacking. Additionally, 22 percent perceive the regulations as a hindrance to innovation or competition.
Important Requirements not Implemented
Many organizations do not yet meet basic elements of DORA. For example, 24 percent report not having implemented recovery and continuity tests, and an equal number have not yet appointed an incident reporting or implementation officer. Additionally, 21 percent lack assurance of backup integrity and secure data recovery.
The most challenging obligation appears to be the oversight of third-party risks. 34 percent of respondents cite this as the most difficult to implement, although only 20 percent have yet to start. Lack of insight into supplier activities and the complexity of partner networks play a role here.
In response to these challenges, Veeam, in collaboration with McKinsey, developed a Data Resilience Maturity Model. This framework helps organizations to assess and improve data resilience in a structured manner, with a view to complying with regulations such as DORA.