DORA Deadline Passes: Almost Half of UK Financial Institutions Fall Short of Compliance Requirements

Key Thoughts:

• DORA is a targeted, essential regulation: Unlike broader rules like NIS2, DORA is specifically designed for the financial sector, addressing its unique resilience needs and complementing existing regulations.
• Resilience is key to stability: DORA focuses on ensuring financial organizations and their supply chains can recover from disruptions.
• Compliance drives lasting change: While challenging, DORA compliance strengthens operational resilience and supply chain security

With 2025 well and truly underway, the deadline for the Digital Operational Resilience Act (DORA) has officially passed (as of 16th Jan).However, the UK financial sector is now facing a major compliance gap. Orange Cyberdefense research foresaw that 43% of UK financial institutions would not meet the DORA deadline as of last week, this prediction is now a reality. Those of us that know about DORA, are aware that non-compliance could result in fines of up to 1% of global daily turnover for as long as six months. So, with the stakes being this high, it begs the question why has nearly half of the UK financial sector failed to prioritize it?

Why DORA Matters

DORA aims to address these risks by enforcing stronger cybersecurity standards, better incident reporting, and rigorous oversight of third-party risk management. Despite widespread support—88% of CISOs believe DORA will enhance resilience—meeting compliance remains a struggle. Key barriers include lack of prioritization, a short timeline, limited resources, and third-party visibility. A quarter of respondents cited the timeline as a significant hurdle, while over three quarters have had to reallocate budgets from other areas to meet requirements.

The Growing Regulatory Burden

The pace of regulatory change is another challenge. DORA follows hot on the heels of the NIS2 Directive, and—understandably—the overlapping requirements have put pressure on cybersecurity teams across the UK.

However, CISOs agree that compliance with DORA is not optional. The financial penalties are steep, with fines reaching up to 2% of global annual turnover or €10 million. And for critical third-party providers, penalties can hit €5 million, with additional daily fines of 1% for continued non-compliance. Beyond the financial penalties, non-compliant businesses risk suspension of operations until they meet the requirements.

A Path Toward Resilience

While compliance may feel like an added burden, experts like Brian Honan, CEO of BH Consulting, stress that DORA is not just about avoiding fines—it’s an opportunity to build long-term resilience. The regulation provides a clear framework for improving cyber risk management, ensuring businesses are prepared for disruptions and capable of recovery in the face of cyber threats.

For those still working toward compliance, DORA offers a chance to reassess and strengthen internal cybersecurity practices, including incident response and third-party governance. The ultimate goal is to enhance the stability and trust of the entire financial ecosystem.

No Time Like the Present

While many institutions have missed the deadline, it’s still not too late to act. DORA compliance doesn’t just mean avoiding fines—it’s an investment in long-term operational resilience. Whether it’s enhancing cyber risk assessments, integrating incident reporting, or improving third-party oversight, the path to compliance is clear. Speak to Armis today and discover how we can help your DORA journey.

Learn more about DORA on our website.