Six months on from the EU’s Digital Operational Resilience Act (DORA) deadline, a recent Censuswide survey commissioned by Veeam® Software reveals that 96% of financial services organisations across the UK, France, Germany, and the Netherlands believe their data resilience still falls short of DORA’s stringent requirements.
Although 94% of respondents now rank DORA compliance higher than they did before January 2025—with 40% calling it a “top digital resilience priority”—many firms face unexpected hurdles:
- 41% report elevated stress on IT and security teams
- 37% are grappling with increased costs from ICT vendors
- 22% warn that proliferating digital regulations threaten innovation
- 20% have yet to secure the budget needed for full compliance
“It’s promising to see that most organizations have embraced and feel confident about meeting DORA’s requirements,” said Edwin Weijdema, Field CTO EMEA at Veeam.
“Achieving compliance is an important first step in ensuring your organization is resilient but given today’s complex threat landscape there’s more to do. … The journey to operational resilience is ongoing, and it’s clear that prioritizing data resilience remains critical for organizations’ long-term success.”
Yet key DORA mandates remain unfulfilled:
| Requirement | % Not Yet Completed |
|---|---|
| Recovery and continuity testing | 24% |
| Incident reporting | 24% |
| Appointment of a DORA implementation lead | 24% |
| Digital operational resilience testing | 23% |
| Backup integrity and secure data recovery | 21% |
Third‑party risk oversight emerged as the single biggest pain point: 34% cite it as their toughest requirement, even though only 20% have yet to implement it.
“It’s interesting to see that third‑party oversight has emerged as a particular pain point for organizations,” said Andre Troskie, Field CISO EMEA at Veeam.
“Over a third named it the most challenging to implement, and many called for additional guidance on establishing it in the first place. … Of course, meeting the requirements is key, but DORA was also about getting organizations to assess their resilience holistically—and in that aspect, it seems to be succeeding.”
Meanwhile, 22% of surveyed firms believe DORA itself could be simplified—particularly around third‑party risk guidance—to ease the compliance burden.
Veeam’s Data Resilience Maturity Model
To help companies navigate this evolving landscape, Veeam and McKinsey earlier this year launched the Data Resilience Maturity Model (DRMM). This industry‑first framework—vetted by over 500 IT, security, and operations leaders—offers a cross‑functional roadmap to assess and enhance data resilience, uniting IT, security, and compliance into a single strategy aligned with DORA and other regulations.
“DORA was about more than compliance—it was about driving a holistic reassessment of digital data resilience,” added Troskie. “And in that respect, it’s working.”
For further details on Veeam’s approach to data portability and resilience, visit Veeam: Data Portability and Resilience.
