New Veeam survey reveals widespread compliance gaps and mounting pressure on IT teams, six months after the EU’s DORA deadline
Six months after the EU’s Digital Operational Resilience Act (DORA) came into force, a new Censuswide survey commissioned by Veeam® Software reveals a sobering reality: 96% of financial services organizations across EMEA believe their current data resilience is insufficient to meet DORA’s stringent requirements.
The survey, which polled senior IT decision-makers in the UK, France, Germany, and the Netherlands, highlights the sector’s struggle to adapt to DORA—a regulation designed to fortify financial institutions against cyber threats and ICT disruptions.
DORA Takes Center Stage
The urgency is clear. 94% of respondents now rank DORA higher in their organizational priorities than they did before the January 2025 deadline, with 40% calling it a “top digital resilience priority.” Yet, only half have fully integrated DORA into their broader resilience programs.
“Achieving compliance is an important first step, but the journey to operational resilience is ongoing.”
— Edwin Weijdema, Field CTO EMEA, Veeam
Unintended Consequences and Compliance Challenges
Despite clarity on required actions, unforeseen hurdles persist:
- 41% report increased stress on IT and security teams.
- 37% face rising costs from ICT vendors.
- 22% say regulatory volume is stifling innovation.
- 20% still lack the budget to meet DORA requirements.
“New Veeam research shows that many financial institutions still see a gap in their overall resilience,” said Edwin Weijdema. “Prioritizing data resilience remains critical for long-term success.”
Key Gaps in Implementation
Many organizations are still working to meet core DORA mandates:
- 24% lack recovery and continuity testing.
- 24% haven’t implemented incident reporting.
- 24% haven’t appointed a DORA lead.
- 23% haven’t conducted resilience testing.
- 21% haven’t ensured backup integrity.
The most difficult requirement? Third-party risk oversight, cited by 34% as the hardest to implement.
“It’s promising to see organizations interrogating their defenses to this degree,” said Andre Troskie, Field CISO EMEA at Veeam. “DORA was about holistic resilience—and in that respect, it’s working.”
A Roadmap to Radical Resilience
To support this journey, Veeam and McKinsey introduced the Data Resilience Maturity Model (DRMM)—a cross-functional framework validated by real-world outcomes. It helps organizations assess and enhance resilience across IT, security, and compliance.
As Troskie concluded, “DORA was about more than compliance—it was about driving a holistic reassessment of digital data resilience.”
