Nearly half of financial institutions were unprepared for the realities of the Digital Operational Resilience Act (DORA) regulation when it came into force in January 2025, global payments solution provider Clear Junction has revealed.
While cyberattacks and system outages show no sign of slowing down or lessening in impact, Clear Junction reveals that many businesses are facing challenges in balancing compliance with operational priorities.
In a move to mitigate the impact of severe operational disruptions, such as cyberattacks or system outages, the EU introduced DORA. The regulatory rule set aims to manage information and communication technology (ICT) risk across the financial sector. Organisations within its scope – including banks, non-bank financial institutions, fintechs, virtual asset service providers, and e-money issuers – must comply with strict regulatory and technical standards to ensure operational resilience in the face of cyber threats and digital disruptions.
However, while DORA provides a clear regulatory framework, it also places significant pressure on firms to both interpret its complexities and take swift action to ensure compliance.
In fact, nearly half (48.72 per cent) of financial institutions were not fully prepared for DORA when it came into effect, while 13 per cent admitted they were ‘not prepared at all’.
Meanwhile, despite the fact that DORA officially came into effect on 17 January 2025, 86 per cent of financial institutions are still not fully compliant with DORA regulations. Just one in 20 financial firms (5.38 per cent) expressed full confidence in their compliance status.
Hurdles remain
“The difference between surviving a cyber incident and failing to recover often comes down to preparation,” commented Teresa Cameron, group chief financial officer at Clear Junction. “Achieving DORA compliance is just the first step. Businesses also need to ensure that their third-party vendors meet regulatory standards. Without this, vendors could become a significant blind spot in an organisation’s risk management framework. Some firms may have to make tough decisions – either pushing vendors to comply or reducing reliance on non-compliant third parties.”
Fifty-four per cent of financial institutions revealed that managing third-party vendors is their biggest challenge. Clear Junction says that many firms reported a lack of transparency from vendors regarding their compliance status, making it difficult to mitigate risks effectively. It says that without proper oversight, even organisations with robust internal compliance measures could find themselves exposed to regulatory penalties or operational vulnerabilities.
Cameron added: “At Clear Junction, we see risk management and compliance as integral to our business model. Our clients don’t just rely on us for payment solutions – they value our strong reputation in regulatory compliance. It’s a competitive advantage.”
Following the survey, Clear Junction is urging firms that are behind on DORA compliance to take immediate steps, including establishing a clear policy, conducting a gap analysis, and creating an action plan to address vulnerabilities.
