A recent survey conducted by Veeam Software has revealed that an overwhelming 96% of financial institutions across Europe feel unprepared to effectively manage digital disruptions, even after the implementation of the Digital Operational Resilience Act (DORA). This regulation, which came into force in January 2025, sets stringent guidelines for how financial firms handle IT risk, respond to cyber incidents, and ensure operational continuity.
The survey, which included responses from over 400 senior IT and compliance leaders in the UK, France, Germany, and the Netherlands, indicates that while most organizations recognize the necessary steps for compliance, they are grappling with significant pressures. These include rising costs from technology vendors, increased stress on IT teams, and heightened concerns that regulatory complexity is stifling innovation.
DORA mandates various compliance requirements, including system testing, incident reporting, and rigorous scrutiny of third-party vendors. Notably, a significant challenge identified by the survey respondents was third-party risk management, with 34% indicating it as the most difficult aspect to implement.
Key Findings from the Survey
The findings provide a stark picture of the current state of resilience among financial firms. While 94% of organizations are clear about the steps required for compliance, the survey uncovered several areas of concern:
– 41% of respondents reported increased stress and pressure on IT and security teams.
– 37% noted that costs from ICT vendors have risen.
– 22% indicated that the volume of digital regulations is becoming a barrier to innovation or competition.
– 20% have yet to secure the necessary budget to meet DORA requirements.
Edwin Weijdema, Field CTO EMEA at Veeam, commented on the findings, stating, “It’s promising to see that most organizations have embraced and feel confident about meeting DORA’s requirements. Achieving compliance is an important first step in ensuring your organization is resilient, but given today’s complex threat landscape, there’s more to do.”
Despite the confidence expressed by many firms regarding compliance, the survey highlighted that a considerable number have not yet met critical DORA requirements. Specifically:
– 24% have not established recovery and continuity testing.
– 24% have not implemented incident reporting.
– 23% have not conducted digital operational resilience testing.
– 21% have not ensured backup integrity and secure data recovery.
The Ongoing Challenge of Data Resilience
The survey results underscore the ongoing challenges that financial institutions face in establishing a robust data resilience framework. Andre Troskie, Field CISO EMEA at Veeam, emphasized the importance of third-party oversight, noting that many organizations are calling for additional guidance to effectively manage this area.
“It’s promising to see that organizations are interrogating their defences to this degree — which is exactly what DORA was designed to achieve,” Troskie remarked. “Of course, meeting the requirements is key, but DORA was also about getting organizations to assess their resilience holistically — and in that aspect, it seems to be succeeding.”
Earlier this year, Veeam, in collaboration with McKinsey, introduced a Data Resilience Maturity Model (DRMM), which helps organizations evaluate their data resilience capabilities. This tool aims to provide a clearer path for firms to address their resilience gaps as they navigate the complexities of compliance under DORA.
As financial institutions continue to adapt to the regulatory environment, it is clear that prioritizing data resilience will be essential for their long-term success. The challenges identified in the survey reflect a critical need for ongoing investment in technology and resources to meet evolving regulatory standards and protect against digital disruptions.