“As of the 2025 assessment cycle, very few institutions can credibly claim full maturity under the Digital Operational Resilience Act,” Mate Ivanszky says. The CEO and founder of Matworks, an IT and cybersecurity provider serving the financial sector, including forex, says about a dozen EU institutions have approached his company in the past six months, many already behind schedule and seeking help to catch up.
“Others,” he adds, “mainly startups, have only recently started engaging seriously with it.”
CFD brokers are among the laggards. According to Reece Pawsey, Director of FinTop Consulting, a specialised HR firm, the sector’s initial response was muted. Brokers did not rush to hire or reorganise when DORA was first announced.
“However, this has slowly increased,” he notes.
Reece Pawsey, Director, FinTop Consulting
DORA Can Be Confusing
The Digital Operational Resilience Act came into force in January 2025, part of a broader push from Brussels to harden financial infrastructure against rising cyber and geopolitical risk.
It zeros in on financial services, requiring them to show that they can withstand and respond to cyber attacks and severe disruptions. By February 28, brokers – and the whole financial services sector – had to file with the Cyprus Securities and Exchange Commission (CySEC) their annual report, which should have included reporting of major incidents.
In November 2025, cybersecurity firm Cloudflare suffered a three-hour outage, disrupting several broker websites, including Monaxa, Skilling, Xtrade and FXPro. Commenting on the incident at the time, Ran Strauss, CEO of forex SaaS provider Leverate, told Finance Magnates: “We view Cloudflare not merely as a CDN provider, but as a critical component in the security infrastructure of any serious FX & CFD broker.”
Finance Magnates estimated the outage erased almost 1% of an average broker’s monthly trading revenue.
Under DORA, major-incident reporting can be triggered when more than 10% of clients or transactions are affected, when over 100,000 clients are involved, when financial impact exceeds €100,000, or when critical functions are disrupted for more than two hours.
It is quite possible, then, that the Cloudfare incident met those thresholds.
However, in January 2026, CySEC released a circular, noting that it had “observed deficiencies in the classification and reporting of ICT-related incidents by Regulated Entities.” These included failing to report major ICT-related incidents or incorrectly classifying incidents as major.
Although the circular did not mention Cloudflare explicitly, its proximity to the incident suggests the episode was on the regulator’s mind.
At the very least, there was widespread uncertainty about what DORA required.
Source: ESMA
Underestimating What DORA Needs
“There was an overall underestimation of what DORA entails in practical terms, which explains why many institutions are now running behind schedule, preparing for reporting deadlines and closing identified gaps,” Ivanszky says.
Indeed, several of the firms that approached Matworks in the past six months were seeking guidance on how to close DORA-sized gaps.
In practical terms, DORA rests on five pillars: ICT risk management, ICT-related incident management (reporting and classification), digital operational resilience testing, information sharing arrangements and ICT third-party risk management.
These are not so much meant to stop a broker from being attacked by hackers or suffering a cyber incident; they are meant to ensure that when one occurs, they can respond safely and quickly.
“If I had to pinpoint the most underestimated area, it would be ICT third-party risk management,” Ivanszky stresses. “For many brokers, this is where weaknesses become most visible.”
Third-party risk management resembles supply-chain oversight but with sharper teeth. Modern business models rely on a dense web of technology vendors, whose security standards vary widely.
DORA does not merely encourage oversight; it mandates contractual discipline.
Brokers must conduct pre-contract due diligence, secure audit rights and embed resilience metrics into vendor agreements. The more suppliers a broker uses, the more contracts must be reviewed and, in many cases, renegotiated.
While risk profiling of vendors has long been part of information-security practice, DORA formalises and intensifies it.
Mate Ivanszky, CEO and founder, Matworks
In a Wait-And-See Mode
Another reason for the industry’s uneven progress is conceptual. DORA is not a pass-fail regime. Regulators assess a company’s systems, identify gaps, require remediation plans and then monitor implementation.
In these cases, enforcement tends to escalate only where deficiencies persist.
“DORA is about, ‘show me that you are managing digital risk properly, not ‘prove that you are perfect’,” Ivanszky explains.
For now, regulators are not escalating, but appear to be in diagnostic mode.
A CySEC spokesperson tells Finance Magnates: “CySEC has issued guidance to supervised entities on DORA and, within the scope of its supervisory mandate, monitors implementation. This includes reviewing incident reports submitted by firms and overseeing the annual submissions to the Register of Information via the XBRL portal.”
Though formulaic, the statement reveals its intent in the negative space: CySEC monitors and oversees, but does not penalise – not yet.
Ivanszky observes a similar pattern. “Based on current supervisory trends, the focus is on remediation timelines and demonstrable progress rather than declaring institutions fully ‘DORA compliant,” he notes.
Still, it is unlikely that the grace period will last indefinitely. As reporting cycles accumulate and regulators build a multi-year track record, Ivanszky expects that failure to show measurable year-on-year improvement may result in penalties, cease orders or operational restrictions.
For Pawsey, CFD brokers simply followed a familiar regulatory pattern. “I think like all newly introduced regulations,” he says, “such as MiFID II, once firms fully understood the operational and technical requirements, they were able to conclude as to whether there was a need for new hires or they could utilise their internal talent.”
The CISO Question
If DORA’s complexity has had one clear labour-market effect, it is a renewed focus on senior cybersecurity leadership.
Formally speaking, DORA does not require brokers to appoint a Chief Information Security Officer (CISO) to lead the cybersecurity strategy, monitor threats and ensure compliance. But it has elevated governance expectations significantly.
Ivanszky warns that operating without one carries risk, especially for larger brokers, given that executives must still guarantee they have enough knowhow to handle ICT risks under DORA.
On his part, Pawsey has observed over the past six months a clear increase in demand for CISOs, Deputy CISOs and senior risk professionals. “Now that DORA is fully in force,” Pawsey notes, “brokers appreciate that there is a need for dedicated security leadership to implement and oversee ICT governance and cyber resilience.”
Hiring a CISO, however, is no cookie-cutter exercise.
In the CFD sector, experienced CISOs command salaries between €160,000 and €250,000, depending on the size of the broker and the location.
“In many cases,” Pawsey says, “smaller CFD brokers often struggle to compete with larger firms on compensation and scale, making it more difficult to attract senior ICT risk and security leadership.”
As a result, they are turning to outsourcing arrangements or fractional CISO models.
Even where brokers succeed in hiring security leaders, retention is another matter. The expanding regulatory perimeter – from DORA to the NIS2 Directive and, in some sectors, frameworks such as PCI or ISO 27001 – is stretching an already scarce talent pool.
According to the IANS Research and Artico Search State of the CISO 2026 Report, which surveyed 830 CISOs and other security leaders, more than half reported that their scope of work is no longer fully manageable, a trend particularly pronounced in smaller firms. Meanwhile, Gartner reported in 2025 that 62% of cybersecurity leaders experienced burnout at least once, while 44% reported multiple instances.
DORA may improve resilience, but it also adds to an already full plate.
Size Matters, but Not In the Same Way
DORA’s burden is not evenly distributed across the CFD landscape. Smaller brokers and larger ones face different, though comparably uncomfortable, pressures.
For smaller players with limited in-house cybersecurity expertise, the pain is largely financial. Governance frameworks, documentation requirements, vendor oversight, reporting obligations and, in some cases, outsourced CISOs create fixed compliance costs that weigh heavily on their budgets.
What might be manageable overhead for a large broker can be existential for a smaller one.
Larger firms, however, confront complexity rather than cost. Their sprawling vendor ecosystems, legacy outsourcing arrangements and cross-broker ICT dependencies make mapping, fixing contracts, ongoing monitoring and resilience testing significantly more demanding.
“The challenge increases further where critical systems rely on non-EU providers that may not easily align with DORA’s supervisory expectations. Ultimately, smaller firms face cost intensity, while larger firms confront structural complexity.” Ivanszky notes.
“DORA is Not a One-Time Exercise”
Now that the digital penny has dropped, many brokers are accelerating their efforts. But that comes with pitfalls.
“The most common mistake I see is entering a comfort zone after submitting required reports – a ‘phew, we’re done’ mindset. DORA is not a one-time exercise; it is a continuous process, much like cybersecurity and ICT risk management in general,” Ivanszky says.
That warning goes to the heart of the regime, as DORA is designed to be a living framework. Brokers must continuously reassess controls, respond to evolving risks and demonstrate ongoing progress. “Identified gaps come with remediation deadlines, and some remedies can be difficult to implement, particularly if they involve replacing systems or ICT providers,” he states.
Compliance, in other words, cannot be rushed at quarter-end.
“As of the 2025 assessment cycle, very few institutions can credibly claim full maturity under the Digital Operational Resilience Act,” Mate Ivanszky says. The CEO and founder of Matworks, an IT and cybersecurity provider serving the financial sector, including forex, says about a dozen EU institutions have approached his company in the past six months, many already behind schedule and seeking help to catch up.
“Others,” he adds, “mainly startups, have only recently started engaging seriously with it.”
CFD brokers are among the laggards. According to Reece Pawsey, Director of FinTop Consulting, a specialised HR firm, the sector’s initial response was muted. Brokers did not rush to hire or reorganise when DORA was first announced.
“However, this has slowly increased,” he notes.
Reece Pawsey, Director, FinTop Consulting
DORA Can Be Confusing
The Digital Operational Resilience Act came into force in January 2025, part of a broader push from Brussels to harden financial infrastructure against rising cyber and geopolitical risk.
It zeros in on financial services, requiring them to show that they can withstand and respond to cyber attacks and severe disruptions. By February 28, brokers – and the whole financial services sector – had to file with the Cyprus Securities and Exchange Commission (CySEC) their annual report, which should have included reporting of major incidents.
In November 2025, cybersecurity firm Cloudflare suffered a three-hour outage, disrupting several broker websites, including Monaxa, Skilling, Xtrade and FXPro. Commenting on the incident at the time, Ran Strauss, CEO of forex SaaS provider Leverate, told Finance Magnates: “We view Cloudflare not merely as a CDN provider, but as a critical component in the security infrastructure of any serious FX & CFD broker.”
Finance Magnates estimated the outage erased almost 1% of an average broker’s monthly trading revenue.
Under DORA, major-incident reporting can be triggered when more than 10% of clients or transactions are affected, when over 100,000 clients are involved, when financial impact exceeds €100,000, or when critical functions are disrupted for more than two hours.
It is quite possible, then, that the Cloudfare incident met those thresholds.
However, in January 2026, CySEC released a circular, noting that it had “observed deficiencies in the classification and reporting of ICT-related incidents by Regulated Entities.” These included failing to report major ICT-related incidents or incorrectly classifying incidents as major.
Although the circular did not mention Cloudflare explicitly, its proximity to the incident suggests the episode was on the regulator’s mind.
At the very least, there was widespread uncertainty about what DORA required.
Source: ESMA
Underestimating What DORA Needs
“There was an overall underestimation of what DORA entails in practical terms, which explains why many institutions are now running behind schedule, preparing for reporting deadlines and closing identified gaps,” Ivanszky says.
Indeed, several of the firms that approached Matworks in the past six months were seeking guidance on how to close DORA-sized gaps.
In practical terms, DORA rests on five pillars: ICT risk management, ICT-related incident management (reporting and classification), digital operational resilience testing, information sharing arrangements and ICT third-party risk management.
These are not so much meant to stop a broker from being attacked by hackers or suffering a cyber incident; they are meant to ensure that when one occurs, they can respond safely and quickly.
“If I had to pinpoint the most underestimated area, it would be ICT third-party risk management,” Ivanszky stresses. “For many brokers, this is where weaknesses become most visible.”
Third-party risk management resembles supply-chain oversight but with sharper teeth. Modern business models rely on a dense web of technology vendors, whose security standards vary widely.
DORA does not merely encourage oversight; it mandates contractual discipline.
Brokers must conduct pre-contract due diligence, secure audit rights and embed resilience metrics into vendor agreements. The more suppliers a broker uses, the more contracts must be reviewed and, in many cases, renegotiated.
While risk profiling of vendors has long been part of information-security practice, DORA formalises and intensifies it.
Mate Ivanszky, CEO and founder, Matworks
In a Wait-And-See Mode
Another reason for the industry’s uneven progress is conceptual. DORA is not a pass-fail regime. Regulators assess a company’s systems, identify gaps, require remediation plans and then monitor implementation.
In these cases, enforcement tends to escalate only where deficiencies persist.
“DORA is about, ‘show me that you are managing digital risk properly, not ‘prove that you are perfect’,” Ivanszky explains.
For now, regulators are not escalating, but appear to be in diagnostic mode.
A CySEC spokesperson tells Finance Magnates: “CySEC has issued guidance to supervised entities on DORA and, within the scope of its supervisory mandate, monitors implementation. This includes reviewing incident reports submitted by firms and overseeing the annual submissions to the Register of Information via the XBRL portal.”
Though formulaic, the statement reveals its intent in the negative space: CySEC monitors and oversees, but does not penalise – not yet.
Ivanszky observes a similar pattern. “Based on current supervisory trends, the focus is on remediation timelines and demonstrable progress rather than declaring institutions fully ‘DORA compliant,” he notes.
Still, it is unlikely that the grace period will last indefinitely. As reporting cycles accumulate and regulators build a multi-year track record, Ivanszky expects that failure to show measurable year-on-year improvement may result in penalties, cease orders or operational restrictions.
For Pawsey, CFD brokers simply followed a familiar regulatory pattern. “I think like all newly introduced regulations,” he says, “such as MiFID II, once firms fully understood the operational and technical requirements, they were able to conclude as to whether there was a need for new hires or they could utilise their internal talent.”
The CISO Question
If DORA’s complexity has had one clear labour-market effect, it is a renewed focus on senior cybersecurity leadership.
Formally speaking, DORA does not require brokers to appoint a Chief Information Security Officer (CISO) to lead the cybersecurity strategy, monitor threats and ensure compliance. But it has elevated governance expectations significantly.
Ivanszky warns that operating without one carries risk, especially for larger brokers, given that executives must still guarantee they have enough knowhow to handle ICT risks under DORA.
On his part, Pawsey has observed over the past six months a clear increase in demand for CISOs, Deputy CISOs and senior risk professionals. “Now that DORA is fully in force,” Pawsey notes, “brokers appreciate that there is a need for dedicated security leadership to implement and oversee ICT governance and cyber resilience.”
Hiring a CISO, however, is no cookie-cutter exercise.
In the CFD sector, experienced CISOs command salaries between €160,000 and €250,000, depending on the size of the broker and the location.
“In many cases,” Pawsey says, “smaller CFD brokers often struggle to compete with larger firms on compensation and scale, making it more difficult to attract senior ICT risk and security leadership.”
As a result, they are turning to outsourcing arrangements or fractional CISO models.
Even where brokers succeed in hiring security leaders, retention is another matter. The expanding regulatory perimeter – from DORA to the NIS2 Directive and, in some sectors, frameworks such as PCI or ISO 27001 – is stretching an already scarce talent pool.
According to the IANS Research and Artico Search State of the CISO 2026 Report, which surveyed 830 CISOs and other security leaders, more than half reported that their scope of work is no longer fully manageable, a trend particularly pronounced in smaller firms. Meanwhile, Gartner reported in 2025 that 62% of cybersecurity leaders experienced burnout at least once, while 44% reported multiple instances.
DORA may improve resilience, but it also adds to an already full plate.
Size Matters, but Not In the Same Way
DORA’s burden is not evenly distributed across the CFD landscape. Smaller brokers and larger ones face different, though comparably uncomfortable, pressures.
For smaller players with limited in-house cybersecurity expertise, the pain is largely financial. Governance frameworks, documentation requirements, vendor oversight, reporting obligations and, in some cases, outsourced CISOs create fixed compliance costs that weigh heavily on their budgets.
What might be manageable overhead for a large broker can be existential for a smaller one.
Larger firms, however, confront complexity rather than cost. Their sprawling vendor ecosystems, legacy outsourcing arrangements and cross-broker ICT dependencies make mapping, fixing contracts, ongoing monitoring and resilience testing significantly more demanding.
“The challenge increases further where critical systems rely on non-EU providers that may not easily align with DORA’s supervisory expectations. Ultimately, smaller firms face cost intensity, while larger firms confront structural complexity.” Ivanszky notes.
“DORA is Not a One-Time Exercise”
Now that the digital penny has dropped, many brokers are accelerating their efforts. But that comes with pitfalls.
“The most common mistake I see is entering a comfort zone after submitting required reports – a ‘phew, we’re done’ mindset. DORA is not a one-time exercise; it is a continuous process, much like cybersecurity and ICT risk management in general,” Ivanszky says.
That warning goes to the heart of the regime, as DORA is designed to be a living framework. Brokers must continuously reassess controls, respond to evolving risks and demonstrate ongoing progress. “Identified gaps come with remediation deadlines, and some remedies can be difficult to implement, particularly if they involve replacing systems or ICT providers,” he states.
Compliance, in other words, cannot be rushed at quarter-end.
