In a world where cyberattacks and system outages can strike with little warning, ensuring regulatory compliance has transformed from a mere checkbox exercise into a crucial lifeline for businesses – especially in the high-stakes financial sector. Our recent webinar on the Digital Operational Resilience Act (DORA) and the UK Operational Resilience Act, hosted by Teresa Cameron, Group Chief Financial Officer, revealed some startling insights into the industry’s preparedness.
A poll conducted during the webinar showed that nearly half (48.72%) of financial institutions were not fully prepared for DORA when it came into force on 17th January 2025. Even more concerning, 86% of financial institutions are still not fully compliant with DORA regulations, with only 1 in 20 financial firms (5.38%) fully confident in their DORA compliance.
1. If you haven’t started on DORA yet (or are lagging behind), what are the smartest first steps to take now?
Teresa: Great question! If you find yourself behind on DORA, there are three urgent steps to take. First, establish your DORA policy. This will help you internally map out the regulation and understand how it impacts your business. Second, conduct a gap analysis comparing requirements against your current status. Finally, create an action plan that outlines how you’ll address any gaps, setting realistic timelines and assigning business owners. This approach demonstrates to regulators that you understand the requirements and are actively working towards compliance.
2. With only 14% of firms believing they’re compliant, what’s holding the industry back?
Teresa: DORA is all about preparing for the “what-ifs,” which growing businesses often overlook when things are going well. It’s natural for organisations to prioritise growth and innovation during prosperous times, but having a solid plan for when things go wrong can be the difference between survival and failure.
Additionally, the post-COVID world and ongoing global instability has brought a string of regulations for financial institutions. For global SMEs like Clear Junction, balancing limited resources between regulatory compliance and business operations can be challenging. We’ve had to slow our growth pace to prioritise compliance, but it’s a decision we’ll always make for long-term success.
3. Managing third-party vendors is proving to be the toughest challenge, with 54% of financial institutions identifying this as their prime concern. Why, and how can this be better handled?
Teresa: Financial institutions can do everything right in their quest for DORA compliance, but if their third-party vendors aren’t compliant as well, they could still face significant risks. This creates a major blind spot that many organisations are struggling with. Many firms report a lack of transparency from their vendors, making it difficult to verify compliance status.
Unfortunately, there’s no easy fix – existing vendor agreements need review and potential renegotiation to ensure appropriate Service Level Agreements (SLAs) and information sharing. When entering new contracts, businesses should ensure they meet DORA requirements from the outset. Sometimes tough decisions may need to be made regarding non-compliant providers or reducing reliance on third parties altogether for better control and insight. For many businesses, managing these arrangements can quickly become a full-time role.
4. If you think you’re compliant, how are you ensuring you stay that way as expectations evolve?
Teresa: Achieving compliance is just the first step. I always recommend working with a specialist compliance advisor for a “health check” to ensure your internal compliance aligns with regulatory expectations. Regularly review internal procedures, especially after material changes to your business or third-party arrangements and run internal scenario exercises. If you’re currently excluded from certain regulations (e.g., as a micro-enterprise), make sure you’re aware of any triggers that could necessitate compliance in the future so you can plan accordingly.
5. How can firms turn regulatory compliance into a driver of innovation rather than just a cost burden?
Teresa: At Clear Junction, we view risk management and compliance as integral parts of our business model – not just as hurdles to overcome. We actively collaborate with other regulated financial institutions and share guidance on existing and emerging regulations with our clients. Our clients rely on us not only for our payment solutions but also for our strong reputation in regulatory compliance. They know we’re a secure partner invested in their long-term success.
6. Is DORA / UK Operational Resilience actually enough to future-proof financial services against cyberattacks?
Teresa: These regulations provide a solid foundation for businesses to plan for cyberattacks. But effective implementation requires all areas of the business to work together within a Business Wide Risk Management framework. The human element is crucial, so employee training is key. Additionally, staying informed about evolving attack methods – like those enhanced by AI – is essential. Businesses must engage with industry peers and continuously adapt their strategies to remain resilient.
Teresa’s final takeaway
Prioritising operational resilience isn’t just about meeting compliance requirements – it’s about fostering a culture of preparedness and innovation that ultimately strengthens organisations against future challenges. With only 5.38% of institutions fully confident in their compliance status, there’s clearly significant work to be done across the industry.