The UK financial sector is facing mounting challenges after the EU-wide Digital Operational Resilience Act (DORA) came into effect on Friday (January 16).

The Act brings introduces more than 500 new regulatory requirements designed to bolster cybersecurity across the industry.

But whilst the regulation aims to enhance resilience to cyber threats, its implementation by the UK financial sector has placed a significant financial and operational burden on businesses.

High Costs and Tight Deadlines

Nearly half (43%) of UK financial firms were expected to miss the DORA compliance deadline, according to a report by Orange Cyberdefense. Smaller firms are particularly vulnerable, as limited resources and complex requirements have left them struggling to meet the new standards.

Tim Wright, a technology lawyer at Fladgate, noted the uneven readiness across the sector. “Many financial institutions are not fully prepared for DORA implementation, suggesting varying levels of readiness,” he said. “Smaller firms face greater challenges due to resource constraints and the complexity of DORA’s 500-plus requirements, as well as dealing with a wide range of third-party service providers.”

The financial toll has been substantial, with 47% of firms spending more than €1 million (£842,000) on compliance efforts over the past two years, according to Rubrik Zero Labs.

Another 28% reported expenditures between €500,000 and €1 million (£421,000–£842,000). These funds have been used to upgrade technology stacks, hire contractors, and establish audit committees to meet the new standards.

Rising Pressure on Cybersecurity Teams

The push to comply with DORA has also taken a mental toll on cybersecurity professionals. Rubrik’s research revealed that nearly 80% of UK chief information security officers (CISOs) have experienced significant stress while working to meet the regulatory requirements.

James Hughes, VP of sales and enterprise CTO at Rubrik, emphasized the necessity of DORA despite the challenges. “Given the increasing threat of ransomware and third-party compromise, the implementation of regulations is required and expensive,” he said.

Ransomware remains the top cybersecurity concern for 46% of financial institutions, followed by vulnerabilities in software supply chains and third-party compromises.

Hughes highlighted the importance of foundational cybersecurity practices, such as identifying critical data, understanding its location, and controlling access. Failure to meet these standards could result in fines from the Financial Conduct Authority (FCA).

Disconnect Between CISOs and Executives

Another challenge for the sector is a disconnect between cybersecurity teams and executive leadership. Nearly three-quarters of CISOs believe their IT budgets are misaligned with board-level priorities for regulatory compliance.

“There is a critical gap between board-level understanding and reality,” Hughes said. “While regulators are increasingly stringent, many CISOs feel their budgets don’t adequately reflect the board’s commitment to compliance. This disconnect jeopardizes not only the organizations’ security posture but also their ability to meet evolving regulatory demands.”

A Necessary but Costly Framework

Despite the high costs and operational strain, DORA is seen as a necessary step in addressing cyber risks in the financial sector. By requiring robust ICT risk management, operational testing, and contingency planning, the regulation aims to safeguard organizations against threats like ransomware and third-party compromises.

As the financial sector adjusts to DORA’s demands, the long-term benefits of improved resilience and reduced cyber risks may outweigh the initial challenges. However, the path to full compliance will likely remain steep for many, especially smaller firms grappling with resource limitations and competing priorities.