Prompted by a new era of cyber attacks surging downtime and data breaches, the Digital Operational Resilience Act regulation came into force on 17 January to reshape the way in which organisations approach security, privacy and cybersecurity. Cybercriminals are becoming increasingly daring and creative, with an expected rise in the exploitation of new vulnerabilities in 2025.

Recent trends highlight an alarming increase in cybercrime. Research by Security Scorecard revealed that 78 per cent of Europe’s largest financial institutions experienced third-party data breaches in the past year of which 84 per cent were exposed to fourth-party breaches, underscoring the extensive reach of cyber threats within the financial sector. 

Further, according to the World Economic Forum’s Global Cyber Security Outlook Report, supply chain vulnerabilities are emerging as the top ecosystem cyber risk with 54 per cent of large organisations identifying supply chain challenges as the biggest barrier to achieving cyber resilience.

As organisations adopt hybrid work models and shift towards cloud-based infrastructures, they inadvertently expose themselves to a greater volume of cyber attacks. These threats are increasingly sophisticated, often employing AI technologies to automate attack vectors. In this context, DORA is not merely a legal obligation but a crucial strategy for organisations to reinforce their cybersecurity frameworks and achieve operational resilience.

Ransomware dominates as the top threat across 92 per cent of industries, according to the 2024 Verizon Data Breach Investigations Report, making rapid patching and exposure management more critical than ever for organisations striving to stay ahead. DORA’s regulatory framework is designed to improve the integrity and resilience of digital systems in financial entities and information and communication technology third-party service providers across Europe, harmonising how organisations detect, handle and report ICT-related risks to mitigate the ever-growing risk of breaches.

Understanding the consequences of non-compliance
As businesses increasingly face a rising tide of cyber threats, DORA has emerged as a pivotal framework designed to enhance the cybersecurity posture of financial institutions within the European Union.

Although, many large financial firms, which already operate within a highly regulated sector, typically have robust cyber resiliency integrated into their systems, compliance concerns continue to weigh heavily on the UK financial services sector. 

A report by Orange Cyberdefense revealed that 43 per cent organisations were expected to miss the DORA compliance deadline. Even more striking, delays are projected to last for at least three months due to the complexity of regulatory requirements.

As DORA is already here, bringing strict mandates to areas such as ICT risk management, incident reporting, testing, threat information sharing, and third-party risk management cannot be overlooked without facing substantial fines. Organisations must notify the relevant competent authority of “major” incidents within just four hours of determining that the incident meets this classification. Following the initial notification, a detailed intermediate report must be submitted within 72 hours of classifying the incident as major. DORA additionally requires firms to collate information about their contracts with IT providers into a register.

Failure to comply with these regulations can have severe repercussions. The act requires EU member states to implement appropriate penalties for breaches, which may include fines of at least 2 per cent of the average daily worldwide turnover for up to six months or individual fines reaching up to €1 million . Critical third-party ICT service providers that fail to adhere to DORA's requirements risk facing even steeper fines, operational restrictions, and irreparable reputational damage.

Regulatory authorities possess the power to limit or suspend the business activities of non-compliant financial firms until full compliance is achieved. The competent authority also has the right to request data traffic records from telecommunications operators if there is reasonable suspicion of a breach. Public notices identifying those involved and the nature of the breach may be issued additionally. Such penalties might have a more significant financial impact than fines alone. Notably, DORA introduces individual liability for business leaders regarding their firm’s compliance failures, with a maximum penalty of €1 million.

A call for robust compliance strategies
A recent data reporting dry run conducted by the European Supervisory Authorities involving 1,039 financial firms revealed that only 6.5 per cent reported no data reporting failures. The majority of reporting errors were attributed to gaps in reporting accuracy with 84 per cent of reporting failures stemmed from missing data in mandatory fields, with a further 6.5 per cent due to faulty Legal Entity Identifiers also contributing to compliance challenges.

Therefore, companies and firms must provide the correct information to avoid reporting failures and data quality issues. It is also essential that organisations obtain an LEI to enable them to participate in data reporting.

Organisations that do not adopt proactive and comprehensive cybersecurity strategies and fail to comply with DORA face a spectrum of significant consequences that could jeopardise not only their operations but also their reputation and client trust.

Moving forward
The DORA framework offers a structured approach for financial entities and its third-party providers to manage operational resilience in an increasingly digital landscape. Collaborating with specialised compliance partners can help organisations manage the complexities of these regulations, ensuring that adherence translates into genuine operational strength.

Considering the evolving threat landscape and the severe consequences of non-compliance, organisations must prioritise compliance with DORA while reinforcing their cybersecurity frameworks. The stakes are high, but the right measures can lead to a more resilient and secure operational environment for all stakeholders involved.