By Vivek Dodd, CEO at Skillcast.
The Digital Operations Resilience Act (DORA) which came into effect in January 2025, is a landmark regulatory framework for financial services operating in the EU. It aims to strengthen businesses’ protections against cyber threats and mitigate digital disruptions by mandating strict risk management protocols across IT, data, information sharing and digital operations.
To comply with DORA and avoid penalties, businesses must establish comprehensive ICT risk management frameworks, ensure prompt incident reporting, conduct regular resilience testing, enforce strict third-party risk management and actively share cyber threat intelligence. While these measures increase resilience, they also come with significant financial and operational challenges.
The increasing demands of compliance
UK firms operating in the EU have felt the financial strain, with nearly half spending over £800,000 on preparations for DORA. These costs are to cover ongoing investments in technology upgrades, cybersecurity enhancements, talent acquisition, and establishing robust governance frameworks to meet both DORA and the broader Financial Conduct Authority (FCA) regulatory expectations in the UK.
The largest chunk of this expenditure is technology infrastructure upgrades. As businesses work to enhance their cybersecurity defences, investing in advanced firewalls, encryption protocols, and real-time threat detection systems has become essential to protect against increasingly sophisticated cyberattacks.
The FCA has also been increasing regulatory scrutiny around operational resilience, and in 2024 the financial watchdog imposed a record-breaking £176 million in fines on regulated financial firms, marking a 230% increase from the £53.4 million imposed in 2023. This sharp rise highlights the increasing pressure on businesses to not only meet DORA requirements, but also ensure they are FCA compliant.
Additionally, the pressure is not just financial. The workforce responsible for implementation is also under significant strain. According to a recent survey, 80% of Chief Information Security Officers (CISOs) reported that their mental health has been significantly impacted by the pressure of meeting compliance requirements.
The impact of non-compliance
While the cost of compliance is high, the consequences of non-compliance can be even more severe. Research shows that 78% of Europe’s largest financial institutions experienced third-party data breaches in the past year of which 84% were exposed to fourth-party breaches – where the third-party’s supplier or service provider is compromised, putting the first party at risk. These breaches not only are costly, but also erode customer trust, which is a damaging blow to reputation and future revenue.
Last year, 54% of global financial institutions reported cyberattacks, resulting in stolen and destroyed data, representing a 12.5% increase from 2023. For British businesses, the financial toll of cyberattacks can be extreme, costing close to £44 billion in lost revenue over the past five years.
With cyberattacks becoming more sophisticated, it is critical for businesses to stay ahead of increasingly advanced threats. In 2024, British engineering company Arup fell victim to a deep fake fraud incident in which an employee was deceived into sending £20 million to criminals who used AI-generated video calls.
66% of organisations view AI and machine learning as the biggest cybersecurity threat they expect to see in 2025. As generative AI technologies become more accessible, it means they could also be increasingly used for ransomware attacks.
The risks are not limited to large financial institutions – SMEs are also highly vulnerable. Many small businesses mistakenly believe they are ‘too small’ to be targeted, yet 58% of UK SMEs reported breaches or attacks in the last 12 months.
Failing to comply with DORA carries severe financial consequences. Businesses operating in the EU can face fines of up to 2% their global annual turnover, or €10 million, depending on which is highest. Critical third-party ICT providers face fines up to €5 million, potentially facing up to 1% of their average daily global turnover for each day of non-compliance, for up to six months, while individuals could be penalised with €500,000.
Beyond financial penalties, the reputation damage that comes with non-compliance can have long-lasting effects. Failure to comply can erode customer trust, lead to lost business opportunities and stricter regulatory measures.
How businesses can minimise compliance risks and strengthen resilience
Minimising the cost and complexity of DORA compliance means treating compliance not just as a regulatory requirement, but as an opportunity to strengthen long-term risk management and stability. Implementing regular, role-specific awareness and compliance training ensures employees understand cybersecurity risks and are equipped to handle critical functions effectively, rescuing costly errors, downtime and also reducing the burden on compliance teams.
Alongside training, firms should have clear protocols in place for identifying, classifying and reporting ICT incidents. Establishing defined reporting channels, with specific incident classifications and employees trained to identify and report on incidents will be an essential part of this. Continuous monitoring also ensures existing security measures are efficient and upgraded, reducing the need for expensive reactive fixes.
To stay compliant with DORA and safeguard against rising threats, businesses should schedule annual resilience testing and threat-led penetration testing (TLPT) every three years to help identify existing vulnerabilities and validate the effectiveness of implemented security controls.
Ultimately, compliance is not just about ticking boxes. As regulatory expectations continue to evolve, businesses that adopt a proactive and technology-driven approach will not only meet compliance requirements but also establish themselves as leaders in digital resilience. By embedding compliance and resilience training within their organisational culture, businesses can simplify the process of staying ahead of regulatory changes.
When compliance becomes an integral part of the company’s values and operational strategies, it can streamline decision-making, strengthen cybersecurity, and ensure protection against growing digital threats. UK businesses that prioritise a culture of compliance will not only mitigate risks but also foster a more resilient and prepared company.
