The vast majority of financial services firms across Europe believe themselves to be unable to meet the full business resiliency requirements of the EU’s Digital Operational Resilience Act (DORA) regulation.
Research conducted by Censuswide on behalf of data backup supplier Veeam in June 2025 found that 96% of EMEA financial services organisations believe they need to improve their resilience to meet DORA requirements. Some 40% call it a current “top digital resilience priority”.
The survey included 404 senior IT decision-makers and heads of compliance at financial service companies and banks with more than 500 employees across the UK, France, Germany and the Netherlands. Although the UK is a non-EU member state, it was included because of its significant business ties with EU countries, according to the researchers. All the UK respondents work for organisations that currently fall under DORA.
The EU’s Digital Operational Resilience Act is designed to bolster cyber security and ensure the financial sector continues to function under duress. While it is a European regulation and therefore affects companies operating in the European Union (EU), other regions are also putting in place cyber resiliency, including the Bank of England in the UK and Australia’s Prudential Regulation Authority. It aims to harmonise operational resilience rules that apply to 20 different types of financial entities, such as banks, insurance companies and third-party tech suppliers.
It is now six months since the enforcement deadline in January 2025, and respondents to the survey conveyed their weariness around it, with 41% reporting increased stress and pressure on IT and security teams, and 22% believing the volume of digital regulation is becoming a barrier to innovation or competition.
Third-party risk oversight was cited by 34% as the hardest requirement to implement, while 37% complained about higher costs passed on by IT suppliers, and 20% report not having secured the budget needed to meet DORA requirements.
Andre Troskie, field CISO of EMEA at Veeam, said: “It’s interesting to see that third-party oversight has emerged as a particular pain point for organisations. Over a third named it as the most challenging to implement, and many called for additional guidance on establishing it in the first place.
“An often-overlooked facet of data resilience, it’s promising to see that organisations are interrogating their defences to this degree – which is exactly what it was designed to do. Of course, meeting the requirements is key, but DORA was also about getting organisations to assess their resilience holistically – and, in that aspect, it seems to be succeeding.”
Half of the respondents said DORA requirements have been integrated into their broader resilience programmes, while 39% reported it remains a central focus.
But many organisations still have significant work to do in reaching DORA compliance, with roughly a quarter lagging badly. Some 24% have not established recovery and continuity testing, 24% have not implemented incident reporting, 24% have not identified a DORA implementation lead, 23% have not conducted digital operational resilience testing, and 21% have not ensured backup integrity and secure data recovery.
Edwin Weijdema, field CTO of EMEA at Veeam, added: “Achieving compliance is an important first step in ensuring your organisation is resilient, but given today’s complex threat landscape, there’s more to do.
“Our research shows that many financial institutions still see a gap in their overall resilience and face challenges in securing the necessary budget, even as DORA grows in strategic importance. The journey to operational resilience is ongoing, and it’s clear that prioritising data resilience remains critical.”
