IT providers can also be fined under DORA. The rules threaten levies of as much as 1% of average daily worldwide revenue for up to six months.

"These sanctions are necessary," Brian Fox, chief technology officer of software supply chain management firm Sonatype, told CNBC. "They are a powerful motivator, pushing leaders to take compliance and operational resilience more seriously than ever."

Orange Cyberdefense's Lindsay said there's a risk longer term that financial services firms end up moving their critical security functions and services in-house.