It’s time to get to grips with DORA
tashatuvango – stock.adobe.com
It’s not really a surprise so many organisations missed the EU’s DORE compliance deadline, but there’s no excuse for delaying, says Azul EMEA VP James Johnston
By
- James Johnston, Azul
Published: 14 May 2025
It’s no surprise to me that financial services organisations missed the 17 January2025 deadline to be in compliance with the European Union’s Digital Operational Resilience Act (DORA). I personally have not met a CIO or CISO who thought this deadline was realistic.
Even back in January, research from Orange Cyberdefense saw 43% of respondents in the industry admit they would not be compliant by the deadline. In March, Clear Junction revealed 86% of financial services organisations were not fully compliant and more worryingly Skillcast’s DORA readiness report showed huge variation in the resilience of these institutions’ IT infrastructures. The banking and lending subsector stood out as the least prepared for compliance while the financial transaction processing subsector was the most vulnerable to cyber threats.
Given we have known this deadline was coming, why such inconsistency when it comes to readiness?
The reality is that cyber security strategies are always dealing with moving targets. Today, your organisation could feel secure and in compliance with DORA, but tomorrow the vulnerability landscape could change. New threats are introduced all the time. For example, you could implement a new supplier technology which could create new vulnerabilities in the supply chain, or the regulations themselves could change. In the UK, we are still expecting the Cyber Security and Resilience Bill at some point this year. The Government has announced its proposals but it is still to be confirmed when it will come into effect.
View DORA as an opportunity
The reality is that many companies are still unsure what measures they need to take to establish DORA compliance, and it requires a significant amount of vigilance across IT infrastructures to understand your exposure.
One area commonly overlooked or discounted is the Java environment. Given Java comprises 51% of the software code in the financial sector, companies should make sure to give their Java applications the appropriate consideration as this is where many compliance and security risks lie dormant. Azul’s 2025 State of Java Survey & Report revealed that 41% of respondents encounter critical production security issues within their Java ecosystems on a weekly or daily basis. While three years after the Log4j incident, 49% are still experiencing security weaknesses in production from the remote code execution (RCE) vulnerability.
Financial institutions must ensure their Java footprint, and that of their third-party providers or services, complies with DORA regulations. As a result, investing in detection tools and post-breach response preparedness can help significantly reduce breach costs for financial firms and their customers. Together, they will have to take an inventory of the risks associated with their applications to ensure compliance and security.
That risk could be amplified if organisations use unsupported versions of Java (and the underlying open source project for the Java programming language called Open Java Development Kit (or OpenJDK for short). In highly regulated industries, like financial services, where systems run on Java are supporting mission-critical applications, not ensuring your core systems are supported is highly risky, particularly as it exposes you to non-compliance with regulations like DORA.
To guarantee compliance, players in the financial services industry must address these five pillars:
Guarantee ICT risk management: Unsupported OpenJDK distributions can expose financial institutions to significant risks, such as unpatched security vulnerabilities and performance issues. It is necessary to have an OpenJDK distribution capable of providing security patches to ensure Java applications remain resilient and compliant with management requirements.
Report incidents quickly: Not all OpenJDK distributions provide security updates and critical patch updates (CPU’s) at the same time leading to unreported and unnoticed incidents that can lead to non-compliance. Industry players must equip themselves with tools capable of providing continuous monitoring for vulnerabilities and unused or dead code in production. This allows organisations to quickly and accurately detect, report and remediate vulnerabilities.
Carry out regular and rigorous penetration and security tests: Using outdated or vulnerable updates of Java may not accurately reflect production environments, leading to false security assumptions. It is therefore important to have up-to-date and tested Java distributions, including legacy versions like Java 6 and 7 and architectures like Windows x86 32-bit, enabling reliable and accurate testing environments for financial institutions.
Strengthen third-party risk management. Affiliating with unsupported OpenJDK distributions by third parties increases the risk of security vulnerabilities and operational failures. It is necessary to ensure that third-party applications and services based on Java meet the highest security and performance standards, thereby reducing third-party risks.
Participate in sharing information on cyber threats. Using unsupported OpenJDK distributions may result in a lack of awareness about updates and security patches, relegating these applications and services to becoming a weak link in the information sharing chain. Organisations must ensure they are aware of the latest vulnerabilities and can share relevant threat intelligence with other entities to improve collective cyber security resiliency.
Cyber security is essential for stable and high-performance business operations today. By ensuring a secure Java distribution, promptly addressing vulnerabilities, and continuously monitoring their Java environment, companies can make a large portion of their IT assets DORA-compliant and strengthen their resilience against cyberattacks.
James Johnston is vice president of EMEA at Java specialist Azul. He is responsible for growing Azul’s software revenues across EMEA. Prior to joining Azul, James has held a number of leadership positions with Cloudera, Fujitsu and HPE. James has an honours degree in business studies from UWE.
