Clear Junction, a leading global payments solution provider, has revealed that nearly half of financial institutions were unprepared for the realities of the Digital Operational Resilience Act (DORA) regulation when it came into force in January 2025. The findings highlight the challenges businesses face in balancing compliance with operational priorities amid an increasingly complex regulatory landscape.

In a world where cyberattacks and system outages can devastate operations without warning, ensuring regulatory compliance has evolved from a checkbox exercise to a key survival factor. DORA establishes a comprehensive set of rules for managing information and communication technology (ICT) risk across the financial sector. Organisations within its scope – including banks, non-bank financial institutions, fintechs, virtual asset service providers (VASPs), and e-money issuers – must comply with strict regulatory and technical standards to ensure operational resilience in the face of cyber threats and digital disruptions.

However, while DORA provides a clear regulatory framework, it also places significant pressure on firms to both interpret its complexities and take swift action to ensure compliance.

Clear Junction’s key findings 

The insights were gathered from a poll of over 170 senior payment industry executives conducted during Clear Junction’s recent ‘Operational Resilience and DORA Masterclass’ webinar, held in partnership with leading compliance consultancy Cosegic. Attendees, representing businesses affected by DORA, were asked about the biggest challenges they faced in achieving compliance.

Key findings from the webinar poll include:

• Nearly half (48.72%) of financial institutions were not fully prepared for DORA when it came into effect, while 13% admitted they were “not prepared at all.”

• 86% of financial institutions are still not fully compliant with DORA regulations, while only 17% said they were compliant.

• Just 1 in 20 financial firms (5.38%) expressed full confidence in their compliance status. 

Teresa Cameron, Group Chief Financial Officer at Clear Junction, commented: “Over the last few years, a wave of new regulations has stretched financial institutions’ resources. DORA is fundamentally about strengthening cyber resilience – preparing for the ‘what ifs’ that businesses often overlook when things are going well. The difference between surviving a cyber incident and failing to recover often comes down to preparation.

“Achieving DORA compliance is just the first step. Businesses also need to ensure that their third-party vendors meet regulatory standards. Without this, vendors could become a significant blind spot in an organisation’s risk management framework. Some firms may have to make tough decisions – either pushing vendors to comply or reducing reliance on non-compliant third parties.”

Managing third-party vendors has proven to be one of the biggest hurdles, with 54% of financial institutions identifying it as their primary concern. Many firms report a lack of transparency from vendors regarding their compliance status, making it difficult to mitigate risks effectively. Without proper oversight, even organisations with robust internal compliance measures could find themselves exposed to regulatory penalties or operational vulnerabilities.

Rather than viewing regulatory compliance as a burden, firms that proactively align with evolving regulations can strengthen their long-term position in the market. Teresa added: “At Clear Junction, we see risk management and compliance as integral to our business model. Our clients don’t just rely on us for payments solutions – they value our strong reputation in regulatory compliance. It’s a competitive advantage.”

Firms that are behind on DORA compliance should take immediate steps, including establishing a clear policy, conducting a gap analysis, and creating an action plan to address vulnerabilities. A proactive approach not only satisfies regulatory requirements but also builds resilience against future threats.