AuditBoard Survey Finds DORA Compliance Lagging

Audit, compliance, and risk management platform vendor AuditBoard recently announced its findings after surveying over 270 professionals about their compliance with DORA, the EU AI Act, and other compliance frameworks. Overall, the research shows that compliance lags behind expected targets. Channel Insider spoke with AuditBoard CISO Richard Marcus to learn more about the research for partners supporting EU businesses and American entities operating in the region.

Compliance lags across the board

The survey findings do not cover the newly in effect DORA regulation exclusively, but the report does show compliance with DORA is much lower than some might think. Further, compliance with frameworks that have been in effect for much longer, such as the EU AI Act and NIS2, remains low.

The survey results report the following levels of compliance with leading regulatory frameworks:

• NIS2 compliance: 52% of organizations report being compliant, with another 44% expecting to be compliant by the end of 2025
• DORA adherence: 40% of those surveyed report they have completed the necessary steps to comply with DORA
• EU AI Act compliance: Respondents reported the lowest rate of compliance out of the three, with only 34% saying they were following the requirements of the act

In addition to the self-reported compliance lagging behind projections, the AuditBoard report highlighted a gap in compliance success. According to the survey data, companies claim compliance while continuing to miss key implementation policies, leaving them subject to non-adherence penalties even if they think they have fulfilled requirements.

The data around these missing elements include standouts such as:

• 63% of those claiming compliance report having transparency measures in place,
• 55% say they have implemented risk management frameworks,
• and just over half (51%) execute comprehensive risk assessments.

IT professionals concerned about increasing workloads

In addition to self-reported data on where businesses stand on their compliance journeys, the survey also focused on how IT professionals feel about the regulatory landscape as they navigate their work. Perhaps unsurprisingly, many report feeling overwhelmed by the amount of work needed.

“Another important takeaway from the findings is that workloads are expected to increase significantly in light of these new regulations,” Marcus said, noting that the survey found that 90% of respondents believe their workloads will be impacted, with InfoSec professionals reporting the highest level of concern.

“With this in mind, businesses should be thinking about automation and AI tools that can help alleviate some of the burden and even reduce burnout.”

Marcus also recommends that companies consider frameworks they already comply with and map them to these new regulations to identify and address the gaps. This should reduce the possibility of duplicative work and give internal teams a starting point as they catch up to regulation deadlines.

What American organizations need to know

While all of the participants in this survey are based in the UK and Germany, and many of the regulations discussed in the findings are tied to European countries, there are still some key takeaways for American businesses. 

“Any U.S.-based financial companies that operate in the EU will also need to ensure compliance, as will information and communications technology (ICT) providers that sell to EU financial services companies,” Marcus said. This affects any organization currently operating in the EU and serves as a notice to those who may want to enter the market in the future.

And, Marcus says, there is always an upside to considering compliance frameworks as you make technical and operational decisions.

“Even for companies that may not be legally required to comply with these regulations, companies should always implement compliance and risk-friendly practices,” Marcus said. “This can help to mitigate incoming risks, while also increasing trust and confidence with both current and prospective customers. It also eliminates the last-minute rush to become compliant when new regulations inevitably do come into effect.”

Compliance remains a priority for many businesses, and channel partners are stepping in to help. Read more about how Omega Systems offers compliance services in highly regulated industries.