A survey commissioned by Veeam reveals the most common shortcomings faced by European financial institutions in adapting to the EU’s new operational resilience regulations.
Six months after the Digital Operational Resilience Act (DORA) went into effect across the European Union, 96% of financial services organizations in the EMEA region acknowledge that they still need to improve their operational resilience to fully comply with the regulation. This is according to a new survey conducted by Censuswide for Veeam Software, a global leader in data resilience by market share.
The research, which surveyed 404 IT and compliance managers in organizations across the UK, France, Germany, and the Netherlands, shows that the path toward digital resilience remains full of obstacles, even though 94% of organizations now prioritize DORA more than before it was enforced.
DORA: a priority… with side effects
Although the European regulation has been integrated into most organizations’ resilience programs — half say they have incorporated it comprehensively, and 39% maintain it as a central priority — it has also produced unexpected effects:
- 41% report increased stress and pressure on IT and cybersecurity teams.
- 37% cite higher costs for technology services from providers.
- 22% believe the growing regulatory burden may hinder innovation and competition.
- 20% have not yet secured the necessary budget for implementing DORA requirements.
Specific obstacles: testing, reporting, and backup integrity
Data indicates that, despite declared commitment, many organizations still fall short on essential elements of DORA:
- 24% have not established recovery and continuity testing processes.
- 24% lack incident reporting mechanisms.
- 24% have not appointed a responsible person for implementation.
- 23% have not conducted operational digital resilience tests.
- 21% have not ensured the integrity and secure recovery of their backups.
According to Andre Troskie, Veeam’s Field CISO for EMEA, one of the most critical points is third-party risk management, which 34% of organizations identify as the most challenging requirement to implement. “Many organizations still have limited visibility into their external providers and networks. It’s positive to see they are assessing their defense stance in this area, as it was a main goal of DORA,” he notes.
The DRMM model: a roadmap toward resilience
To support organizations in this journey, Veeam and McKinsey introduced earlier this year the Data Resilience Maturity Model (DRMM), the industry’s first framework for assessing data resilience maturity. Developed from interviews with over 500 IT, security, and operations leaders, this model enables a comprehensive integration of IT, compliance, and security pillars into a single strategy.
Edwin Weijdema, Veeam’s Field CTO for EMEA, emphasizes that “meeting DORA is only the first step. Operational resilience is an ongoing process, and many organizations are still far from reaching an optimal level. Data resilience should be a long-term strategic priority.”
Calls for better DORA design
22% of surveyed organizations believe that DORA could have been better designed, demanding more clarity, simplification, and specific guidelines regarding third-party risks. Despite these criticisms, the regulation has achieved its intended effect: a thorough review of digital defense systems within the European financial sector.
Conclusion: resilience is a journey, not a destination
Half a year after its implementation, DORA has driven a cultural and operational transformation in how financial organizations understand cybersecurity resilience. However, data show there is still much progress to be made. Most organizations recognize significant gaps, especially in critical processes such as continuity testing, vendor management, or data backup.
Meanwhile, Veeam continues to position itself as a key player in guiding this transition, offering technological solutions and strategic frameworks to help organizations meet regulatory requirements and, above all, build radical resilience against future disruptions.
Source: Veeam