Six months after the European Union’s Digital Operational Resilience Act (DORA) took effect, a stark reality has emerged: despite widespread recognition of its importance, the vast majority of financial institutions still struggle to meet its requirements. Recent research reveals this compliance gap and highlights why organizations increasingly rely on specialized solutions to build the robust data resilience frameworks that DORA demands.
The DORA Implementation Reality Check
A new Censuswide survey commissioned by Veeam Software reveals that 96% of EMEA financial services organizations still feel their current level of data resilience falls short of DORA requirements. This finding, drawn from insights gathered from over 400 senior IT decision makers at financial services companies across the UK, France, Germany, and the Netherlands, exposes the gap between regulatory expectations and operational reality.
DORA entered into application on 17 Jan 2025 and ensures that banks, insurance companies, investment firms and other financial entities can withstand, respond to, and recover from ICT (Information and Communication Technology) disruptions, such as cyberattacks or system failures. The regulation represents a fundamental shift in how European financial institutions approach operational resilience, moving beyond traditional cybersecurity measures to establish comprehensive frameworks for digital operational continuity.
Understanding DORA’s Comprehensive Framework
DORA introduces a five-pillar framework of ICT risk management; incident reporting; digital operational resilience testing; third-party risk management; and information sharing. Each pillar addresses critical aspects of digital operational resilience:
ICT Risk Management requires organizations to develop and maintain comprehensive frameworks for identifying, assessing, and mitigating technology-related risks before they impact operations.
Incident Management and Reporting establishes standardized processes for documenting and communicating cybersecurity incidents across the EU financial sector, creating transparency and shared learning opportunities.
Digital Operational Resilience Testing mandates regular assessment of systems and processes to ensure they can withstand various disruption scenarios.
Third-Party Risk Management addresses the growing dependency on external ICT service providers, requiring financial institutions to maintain oversight of their technology supply chains.
Information Sharing promotes collaborative defense through voluntary threat intelligence sharing arrangements between financial entities.
The Persistent Compliance Challenges
The survey findings reveal specific areas where financial institutions continue to face implementation difficulties. The most challenging DORA requirement? Third-party risk oversight, with 34% of organizations citing it as the hardest to implement. This challenge reflects the complex reality of modern financial services, where organizations depend on extensive networks of technology providers.
Additional compliance gaps persist across other critical areas:
- 24% have not established recovery and continuity testing
- 24% have not implemented proper incident reporting mechanisms
- 23% have not conducted digital operational resilience testing
- 21% have not ensured backup integrity and secure data recovery
These statistics underscore that DORA compliance involves more than policy development—it requires fundamental changes to how organizations architect, protect, and recover their technology infrastructure.
Veeam’s Strategic Response to DORA Requirements
Recognizing these challenges, Veeam, the #1 global leader in data resilience, has positioned itself as a key partner for organizations working to meet DORA requirements. “It’s promising to see that most organizations have embraced and feel confident about meeting DORA’s requirements,” said Edwin Weijdema, Field CTO EMEA at Veeam. “Achieving compliance is an important first step in ensuring your organization is resilient but given today’s complex threat landscape there’s more to do.”
Veeam’s approach addresses multiple DORA pillars through integrated technology solutions and strategic guidance. The company’s data resilience platform provides the foundation for meeting several critical requirements:
Risk Assessment and Security Policies: Veeam Security & Compliance Analyzer provides automated scanning capabilities that help organizations maintain comprehensive documentation of their data resilience posture while conducting regular risk assessments.
Incident Response and Recovery: The platform’s reporting capabilities enable organizations to document cybersecurity incidents effectively while maintaining the rapid recovery capabilities that DORA requires during and after security incidents.
Business Continuity: Veeam Recovery Orchestrator delivers automated disaster recovery planning and testing, directly addressing DORA’s requirement for organizations to maintain operations during security incidents.
Third-Party Risk Management: Veeam’s vendor-agnostic approach helps organizations avoid single-provider dependencies while maintaining security throughout their technology stack.
Building a Data Resilience Foundation
The research reveals that financial institutions increasingly recognize data resilience as fundamental to DORA compliance. “DORA was about more than compliance – it was about driving a holistic reassessment of digital data resilience,” added Andre Troskie, Field CISO EMEA at Veeam. “And in that respect, it’s working.”
The comprehensive data resilience architecture of Veeam Data Platform includes several key components that support DORA compliance:
Backup & Replication: Provides secure data resilience for all workloads across on-premises and cloud environments, ensuring seamless backup and instant recovery capabilities that meet DORA’s business continuity requirements.
Advanced Security Features: Protection from ransomware through immutable backups that prevent modification or encryption, with automated testing to ensure backups remain ransomware-free.
Monitoring and Threat Detection: VeeamONE provides monitoring, reporting, and capacity planning capabilities that support early incident detection and response requirements under DORA.
Addressing Corporate Accountability
One of DORA’s most significant aspects involves personal accountability for corporate management. DORA introduces uniform and harmonized governing principles for the management of cyber risks, creating clear expectations for executive oversight of digital operational resilience.
Veeam addresses this challenge by providing management teams with clear visibility into their organization’s data resilience posture. By integrating with security information and event management (SIEM) systems, organizations gain comprehensive views of their data resilience and security situations, enabling better oversight and decision-making at the executive level.
The Path Forward: From Compliance to Resilience
The survey findings indicate that while organizations face implementation challenges, DORA has successfully elevated the strategic importance of digital operational resilience. 94% of organizations now rank DORA higher in their organizational priorities than they did in the month before the deadline, with 40% calling it a current “top digital resilience priority.”
Veeam’s approach recognizes that effective DORA compliance requires more than technology implementation—it demands organizational transformation. The company’s solutions support cross-team collaboration among security, IT, and compliance teams while providing the technical capabilities necessary for meeting regulatory requirements.
Innovation in Data Resilience
As the regulatory landscape continues to evolve, Veeam’s commitment to innovation helps organizations stay ahead of emerging requirements. The integration of artificial intelligence in Veeam Data Platform improves threat detection and prevention capabilities, enabling proactive identification and mitigation of potential security threats to ensure data integrity.
The company has also developed specialized offerings for regulated industries, including Veeam Government Solutions, which addresses data challenges through secure backup, recovery, and data management features designed for high-security environments.
Supporting Industry-Wide Transformation
Beyond individual compliance efforts, Veeam contributes to broader industry transformation through initiatives like the Data Resilience Maturity Model (DRMM), developed in partnership with McKinsey. Built on extensive research and insights from over 500 IT, security, and operations leaders, the Veeam DRMM has been validated through real-world customer outcomes.
This framework enables organizations to assess their data resilience using a cross-functional approach that integrates IT, security, and compliance into a unified strategy, providing clear roadmaps for achieving both compliance and operational excellence.
Looking Ahead: The Future of Financial Resilience
The research reveals that DORA implementation is not a destination but an ongoing journey. “The journey to operational resilience is ongoing, and it’s clear that prioritizing data resilience remains critical for organizations’ long-term success,” noted Edwin Weijdema.
As financial institutions continue to adapt to DORA requirements, the need for comprehensive data resilience solutions becomes increasingly apparent. Organizations that view compliance not as a regulatory burden but as an opportunity to build competitive advantages through superior operational resilience are best positioned for long-term success.
The partnership between regulatory frameworks like DORA and technology solutions like those provided by Veeam creates foundations for sustained resilience that benefit not only individual organizations but the entire European financial ecosystem. As the digital transformation of financial services accelerates, the ability to maintain secure, reliable operations in the face of evolving threats becomes a fundamental business capability rather than merely a compliance requirement.
