Six months after the EU’s DORA (Digital Operational Resilience Act) came into effect, a new survey commissioned by Veeam, reveals that 96% of EMEA financial services organizations still feel their current level of data resilience falls short. The survey, which gathered insights from senior IT decision makers at financial services companies in the UK, France, Germany, and the Netherlands, underscores the ongoing challenges faced by the sector as it adapts to DORA. DORA is a framework introduced by the EU in January 2025 to strengthen the financial industry’s defenses against cyberthreats and ICT disruptions.
While DORA has been embedded as a strategic priority across the financial sector, many organizations are still navigating the path to full compliance. The survey found that 94% of organizations surveyed now rank DORA higher in their organizational priorities than they did in the month before the deadline, with 40% calling it a current “top digital resilience priority.” Half of the respondents said DORA requirements have been integrated into their broader resilience programs, while 39% reported it remains a central focus.
The Unintended Consequences of DORA
Even with 94% of organizations clear on the steps they need to take; many are facing unforeseen challenges:
- 41% report increased stress and pressure on IT and security teams.
- 37% are dealing with higher costs passed on by ICT vendors.
- 22% believe the volume of digital regulation is becoming a barrier to innovation or competition.
- 20% have yet to secure the necessary budget to meet DORA requirements.
“It’s promising to see that most organizations have embraced and feel confident about meeting DORA’s requirements,” said Edwin Weijdema, Field CTO EMEA at Veeam. “Achieving compliance is an important first step in ensuring your organization is resilient but given today’s complex threat landscape there’s more to do. New Veeam research shows that many financial institutions still see a gap in their overall resilience and face challenges in securing the necessary budget, even as DORA grows in strategic importance. The journey to operational resilience is ongoing, and it’s clear that prioritizing data resilience remains critical for organizations’ long-term success.”
DORA: Still a Work in Progress
Despite this prioritization, many organizations are still working to meet key DORA requirements:
- 24% have not established recovery and continuity testing.
- 24% have not implemented incident reporting.
- 24% have not identified a DORA implementation lead.
- 23% have not conducted digital operational resilience testing.
- 21% have not ensured backup integrity and secure data recovery.
The most challenging DORA requirement? Third-party risk oversight, with 34% of organizations citing it as the hardest to implement, despite only 20% yet to do so. There are many possible reasons for this, from the limited visibility many organizations have into their third-party operations to the sheer scale of third-party networks.
Andre Troskie, Field CISO EMEA at Veeam said, “It’s interesting to see that third-party oversight has emerged as a particular pain point for organizations. Over a third named it the most challenging to implement, and many called for additional guidance on establishing it in the first place. An often-overlooked facet of data resilience, it’s promising to see that organizations are interrogating their defences to this degree, which is exactly what it was designed to do. Of course, meeting the requirements is key, but DORA was also about getting organizations to assess their resilience holistically and in that aspect, it seems to be succeeding.”
Additionally, 22% of organizations felt that DORA’s design could have been improved to aid compliance, with calls for simplification, clarification, and more detailed third-party risk guidance.
Supporting the Journey to Resilience
In response to the growing need for structured resilience strategies, Veeam and McKinsey earlier this year introduced the industry’s first Data Resilience Maturity Model (DRMM). Built on extensive research and insights from over 500 IT, security, and operations leaders, the Veeam DRMM has been validated through real-world customer outcomes. This framework enables organizations to assess their data resilience using a cross-functional approach that integrates IT, security, and compliance into a unified strategy. It provides a clear roadmap for enhancing resilience and achieving compliance with regulations like DORA.
“DORA was about more than compliance, it was about driving a holistic reassessment of digital data resilience,” added Troskie. “And in that respect, it’s working.”
