“Rehearse, rehearse, rehearse” - is your business doing enough on DORA compliance?

Image credit: Pixabay (Image credit: Pixabay)

The Digital Operational Resilience Act is in force now
The regulation aims to ensure financial firms are prepared in the event of cyberattacks
Getting compliant has already cost many firms upwards of €1m

The EU's new Digital Operational Resilience Act (DORA) is now active, and will be applicable to thousands of British companies who undertake financial market activities in the bloc, as well as Critical ICT Third Party Providers (CTTPS) which offer services to European firms.

New research from cloud management firm Rubrik has outlined the costs of compliance for companies in the financial sector, with its Rubrik Zero Labs report finding nearly half of financial and banking organisations (47%) have already spent over €1m over the last two years in implementing regulations like DORA and Prudential Regulation Authority measures.

There are five pillars to the DORA requirements; ICT risk management and governance, digital operational resilience testing, ICT-related incident reporting, ICT third-party risk, and information sharing. These lay out the expectations for financial firms in protecting their digital platforms, focusing on risk management and incident response.

Practice in peacetime

So what will secure compliance look like? Well the crucial takeaway is to “rehearse, rehearse, rehearse” James Hughes, VP of Solutions Engineering and Enterprise CTO at Rubrik told TechRadar Pro at a recent event.

“So you can simulate rehearsals, you can simulate recovering applications, you can simulate recovering data, but actually doing it is really, really key, because actually if it (a ransomware attack) happens in the middle of the business day, especially if they're doing training day for a finance service, that's an awful lot of pressure, and that's an awful lot of what do we do and how do we do it?“

Prioritising and preparing is the most important thing for Fintech firms. The financial services industry is being hit harder than ever before by ransomware attacks, so complacency will kill. Incident response testing is no longer just best practice, but law thanks to DORA.

“Given the increasing threat of ransomware and third-party compromise, the implementation of regulations is required and expensive. Understanding what data is the most critical, where that data lives, who has access to it, is essential to identifying, assessing, and mitigating ICT risk” Said Hughes.

Non-compliance consequences

Enforcement of the regulation started on January 17, 2025, so firms should be confident they are following the rules closely - or else face a penalty of up to two per cent of the company's annual global turnover.

It’s likely enforcement will focus on ‘significant and visable’ breaches which will have the most impact, but small firms should still make the framework a priority. This may be quite costly at first, but the longer term benefit of robust risk management and elevated operational resilience will result in a, ‘more secure and resilient financial ecosystem’, which is in everyone’s best interest.

“In terms of potential punitive measures for non-compliance, it’s the usual EU approach of less carrot, more stick, with the risk of mega fines for the worse cases.” said Tim Wright, partner and technology lawyer at Fladgate.

“On top of that, periodic penalty payments of up to 1% of average daily worldwide turnover can be imposed for continued non-compliance, lasting up to six months. Other potential sanctions include sanctions include public reprimands, business activity restrictions and potential license suspensions.”

Cutting it fine

Despite the two years of prep time, many companies in the UK (43%), won’t be compliant by the deadline, with many (28%) citing a lack of prioritisation from the organisation, research from Orange Cyberdefense has suggested.

To tackle this, 97% of respondents employ or plan to employ external support to help their business become compliant - but 20% of organisations still expect to miss the deadline by at least 4 months.

This is despite the overwhelming backing for the legislation, with 88% of surveyed security professionals believing DORA will be beneficial, and 96% saying it will enhance resilience across the EU and EU business ecosystem.

In an already increasingly stressful time for CISOs and IT leaders, the Rubrik report shows that a worrying 79% of these professionals report the stress of ransomware attacks has had a negative impact on their mental health.

Despite this, most UK CISOs have confidence in the cloud, with 73% feeling that their client, customer, partner, and employee data is safe in cloud environments.

The DORA regulation is an outlier in that it can hold CISOs personally liable, meaning individuals can be fined or even given jail time for non-compliance, although the later is only likely to be in cases of gross negligence or fraudulent incident reporting.

“I've got to assume gross negligence in that sort of scenario where you haven't catered for any of it to the point where you're not protecting that danger at all or you've done false accounting or false reporting that you're actually in a much better position than you actually are,” Hughes says.

Take a look at our pick of the best firewall protection around
UK Government launches ransomware protection proposals
Check out our choices for the best antivirus software

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.