Six months after new EU rules came into force to toughen up how financial firms handle digital disruptions, most organisations still don’t feel ready. A new survey by Veeam Software found that 96 per cent of financial services firms across Europe believe their data resilience is still not where it needs to be, despite the Digital Operational Resilience Act (DORA) now being in effect.
DORA, which took effect in January 2025, sets strict standards for how financial institutions manage IT risk, respond to cyber incidents and ensure operational continuity. It applies to a wide range of firms operating in the EU, from banks and insurers to fintechs and investment platforms, and requires them to test systems, report incidents and scrutinise third-party vendors.
The findings come from a study commissioned by Veeam, a US-headquartered software company that specialises in backup, recovery and data resilience tools. The company surveyed over 400 senior IT and compliance leaders in the UK, France, Germany and the Netherlands, including firms in the UK that do business in the EU and are therefore within DORA’s scope.
While nearly all respondents said they understood the steps needed for compliance, many reported new pressures: rising costs from tech vendors, added stress on IT teams and concerns that growing regulatory complexity is now holding back innovation. Third-party risk management emerged as the most difficult DORA requirement to meet.
Veeam findings at a glance
- 94 per cent of organisations are clear on the steps they need to take
- Yet 41 per cent report increased stress and pressure on IT and security teams
- 37 per cent are dealing with higher costs passed on by ICT vendors
- 22 per cent believe the volume of digital regulation is becoming a barrier to innovation or competition
- 20 per cent have yet to secure the necessary budget to meet DORA requirements
“It’s promising to see that most organisations have embraced and feel confident about meeting DORA’s requirements,” said Edwin Weijdema, field CTO EMEA, Veeam. “Achieving compliance is an important first step in ensuring your organisation is resilient but given today’s complex threat landscape there’s more to do.
“New Veeam research shows that many financial institutions still see a gap in their overall resilience and face challenges in securing the necessary budget, even as DORA grows in strategic importance. The journey to operational resilience is ongoing, and it’s clear that prioritising data resilience remains critical for organisations’ long-term success.”
More work to do
Many organisations are still working to meet key DORA requirements:
- 24 per cent have not established recovery and continuity testing
- 24 per cent have not implemented incident reporting
- 24 per cent have not identified a DORA implementation lead.
- 23 per cent have not conducted digital operational resilience testing
- 21 per cent have not ensured backup integrity and secure data recovery
- Third-party risk management emerged as the top compliance hurdle, with 34 per cent naming it the hardest to implement.
Andre Troskie, field CISO EMEA at Veeam, also added: “It’s interesting to see that third-party oversight has emerged as a particular pain point for organisations. Over a third named it the most challenging to implement, and many called for additional guidance on establishing it in the first place.
“An often-overlooked facet of data resilience, it’s promising to see that organisations are interrogating their defences to this degree – which is exactly what it was designed to do. Of course, meeting the requirements is key, but DORA was also about getting organisations to assess their resilience holistically – and in that aspect, it seems to be succeeding.”
Earlier this year, Veeam and McKinsey introduced a Data Resilience Maturity Model (DRMM), which enables organisations to assess their data resilience.
