Prompted by a new era of cyber-attacks surging downtime and data breaches, the Digital Operational Resilience Act (DORA) regulation came into force on the 17^th of January to reshape how organisations approach security, privacy and cybersecurity. Cybercriminals are becoming increasingly daring and creative, with an expected rise in the exploitation of new vulnerabilities in 2025.

Recent trends highlight an alarming increase in cybercrime. Research by Security Scorecard revealed that 78% of Europe's largest financial institutions experienced third-party data breaches in the past year of which 84% were exposed to fourth-party breaches, underscoring the extensive reach of cyber threats within the financial sector. Further, according to the World Economic Forum's Global Cyber Security Outlook Report, supply chain vulnerabilities are emerging as the top ecosystem cyber risk with 54% of large organisations identifying supply chain challenges as the biggest barrier to achieving cyber resilience.

As organisations adopt hybrid work models and shift towards cloud-based infrastructures, they inadvertently expose themselves to a greater volume of cyber-attacks. These threats are increasingly sophisticated, often employing AI technologies to automate attack vectors. In this context, DORA is not merely a legal obligation but a crucial strategy for organisations to reinforce their cybersecurity frameworks and achieve operational resilience.

Ransomware dominates as the top threat across 92% of industries, according to the 2024 Verizon Data Breach Investigations Report, making rapid patching and exposure management more critical than ever for organisations striving to stay ahead. DORA's regulatory framework is designed to improve the integrity and resilience of digital systems in financial entities and Information and Communication Technology (ICT) third-party service providers across Europe. Harmonising how organisations detect, handle and report ICT-related risks to mitigate the ever-growing risk of breaches.

Understanding the Consequences of Non-Compliance

As businesses increasingly face a rising tide of cyber threats, DORA has emerged as a pivotal framework designed to enhance the cybersecurity posture of financial institutions within the European Union.

Although, many large financial firms, which already operate within a highly regulated sector, typically have robust cyber resiliency integrated into their systems, compliance concerns continue to weigh heavily on the UK financial services sector. A report by Orange Cyberdefense revealed that 43% organisations were expected to miss the DORA compliance deadline. Even more striking, delays are projected to last at least three months due to complexity of regulatory requirements.

As DORA is already here, bringing strict mandates to areas like ICT risk management, incident reporting, testing, threat information sharing, and third-party risk management cannot be overlooked without facing substantial fines. Organisations must notify the relevant competent authority of "major" incidents (relating to the impact of critical services) within just four hours of determining that the incident meets this classification. Following the initial notification, a detailed intermediate report must be submitted within 72 hours of classifying the incident as major. DORA additionally requires firms to collate information about their contracts with IT providers into a register.

Failure to comply with these regulations can have severe repercussions. The act requires EU member states to implement appropriate penalties for breaches, which may include fines of at least 2% of the average daily worldwide turnover for up to six months or individual fines reaching up to €1 million. Critical third-party ICT service providers that fail to adhere to DORA's requirements risk facing even steeper fines, operational restrictions, and irreparable reputational damage.

Regulatory authorities possess the power to limit or suspend the business activities of non-compliant financial firms until full compliance is achieved. The competent authority also has the right to request data traffic records from telecommunications operators if there is reasonable suspicion of a breach. Public notices identifying those involved and the nature of the breach may be additionally issued. Such penalties might have a more significant financial impact than fines alone. Notably, DORA introduces individual liability for business leaders regarding their firm's compliance failures, with a maximum penalty of €1 million.

A Call for Robust Compliance Strategies

A recent data reporting dry run conducted by the European Supervisory Authorities (ESAs) involving 1,039 financial firms revealed that only 6.5% reported no data reporting failures. The majority of reporting errors were attributed to gaps in reporting accuracy with 84% of reporting failures stemmed from missing data in mandatory fields, with a further 6.5% due to faulty Legal Entity Identifiers (LEI) also contributing to compliance challenges.

Therefore, companies and firms must provide the correct information to avoid reporting failures and data quality issues. It is also essential that organisations obtain an LEI to enable them to participate in data reporting.

Organisations that do not adopt proactive and comprehensive cybersecurity strategies and fail to comply with DORA face a spectrum of significant consequences that could jeopardise not only their operations but also their reputation and client trust.

Moving Forward

The DORA framework offers a structured approach for financial entities and its third-party providers to manage operational resilience in an increasingly digital landscape. Collaborating with specialised compliance partners can aid organisations in navigating the complexities of these regulations, ensuring adherence that translates into genuine operational strength.

Considering the evolving threat landscape and the severe consequences of non-compliance, organisations must prioritise compliance with DORA while reinforcing their cybersecurity frameworks. The stakes are high, but the right measures can lead to a more resilient and secure operational environment for all stakeholders involved.