Deloitte Survey Finds Only 25% of Financial Institutions Confident in DORA Compliance

Six months after the Digital Operational Resilience Act (DORA) came into effect on 17 January 2025, Deloitte Luxembourg has published its most recent survey assessing the progress financial entities are making towards DORA compliance.

The Digital Operational Resilience Act (DORA) is an EU regulation that affects financial institutions by strengthening digital risk management to protect them from ICT disruptions and cyber threats.

At the start of 2025, Deloitte conducted an in-depth European survey to assess how financial services entities across 28 countries are transitioning towards compliance with DORA, taking a deeper look at the European market.

Now that the DORA application date has passed and the regulatory technical standards are finalised and issued in the Official Journal, Deloitte has conducted a follow-up survey aimed at understanding the readiness of financial institutions in complying with DORA and the associated implementation challenges that these institutions are facing.

The survey focused on financial entities, with respondents including chief information security officers (CISOs), chief risk officers (CROs) and DORA programme managers, and covered key areas such as compliance responsibilities, customer size, industry representation and revenue distribution.

As digital risk remains a top concern for the financial services industry, this report is said to offer "valuable benchmarking data" based on responses from financial entities across 28 European countries. The insights gleaned are expected to help spark broader conversations around resilience, cybersecurity and regulatory preparedness in both the EU and Luxembourg, in addition to addressing where some institutions are making headway and where significant gaps remain.

The key findings from the survey reveal both progress and pressing challenges:

• only a quarter (25%) of respondents felt confident in their compliance with ICT risk management (Pillar I);
• 48% said they have ICT incident management protocols (Pillar II) ready for digital disruptions;
• nearly all respondents (92%) indicated they do not yet consider themselves to be fully compliant with resilience testing and third-party risk management (Pillars III & IV);
• 64% of respondents said they plan to spend €2 to €5 million on initiatives to support their compliance with DORA's five pillars, including advisory, systems and implementation (17% were still unable to provide a definite estimate);
• nearly half (46%) mentioned the register of information as the most challenging DORA requirement to satisfy;
• 17% of entities identified due diligence, risk assessment and ICT third-party compliance as demanding areas, emphasising the complexity of maintaining robust risk management frameworks.

Deloitte noted that, as Luxembourg is home to a diverse financial ecosystem, including banks, investment firms, insurance companies and ICT providers, these results offer "a rare and focused snapshot" of how key players are adapting (or struggling) to meet DORA's demands and shaping future operational strategies.

To access the full report, visit https://www.deloitte.com/lu/en/services/consulting/research/dora-european-survey.html