DORA Non-Compliance: A Growing Risk for Financial Firms

The Digital Operational Resilience Act (DORA) is now in force, yet many firms remain non-compliant. A recent report has highlighted significant gaps in risk management and cybersecurity resilience across the fintech sector, reinforcing concerns that financial institutions have not taken sufficient action to meet DORA’s stringent requirements. 

Non-compliance with DORA is a significant risk for businesses across the UK, particularly those interacting with the EU.

A recent report from Skillcast, analysing risk management and cybersecurity across fintech firms, revealed a worrying trend: despite the regulatory mandate, many organisations still lack robust processes for managing third-party risk, ICT governance, and incident reporting – all key components of DORA compliance.

What Did the Report Reveal?

Among the key deficiencies identified:

• Gaps in third-party risk management – Many fintechs are failing to implement comprehensive oversight of their ICT service providers, a critical DORA requirement.
• Weaknesses in cybersecurity resilience – Despite increasing threats, firms are struggling to put in place sufficient safeguards to protect critical financial infrastructure.
• Lack of preparedness for operational disruptions – Effective incident response planning is still not embedded across the sector, leaving firms vulnerable to cyberattacks and system failures.

The report highlights concerns about gaps in cybersecurity preparedness across the sector overall. It emphasises the urgent need for businesses to invest in risk management frameworks and build a culture of compliance.

DORA Compliance: What Firms Should Be Doing Now

DORA sets a high bar for digital resilience, requiring firms to proactively manage ICT risks, ensure business continuity, and maintain regulatory oversight of third-party service providers. At AJC, we’ve been supporting firms in navigating these challenges and have identified key steps that financial institutions should be prioritising:

1. Review and Strengthen ICT Risk Management Frameworks
Firms must adopt a structured approach to identifying, assessing, and mitigating ICT risks. This includes setting up robust governance structures and conducting regular risk assessments.

2. Enhance Third-Party Risk Oversight
Under DORA, financial entities are responsible for the resilience of their ICT service providers. Firms should map out all critical third-party dependencies, implement contractual oversight mechanisms, and establish incident response protocols with external vendors.

3. Develop a Comprehensive Incident Response Plan
DORA mandates that firms have clear procedures for detecting, managing, and reporting ICT-related incidents. Regular testing and simulation exercises will be crucial to ensuring resilience.

4. Ensure Compliance with Reporting Requirements
Firms must be prepared to report major ICT incidents to regulators within defined timeframes. Establishing streamlined reporting processes now will prevent ongoing compliance issues.

5. Conduct Regular Testing and Cyber Resilience Drills
The ability to withstand cyber threats is a fundamental measure of DORA compliance. Firms should conduct penetration testing, red teaming, and crisis simulations to identify vulnerabilities before they become regulatory issues.

Non-Compliance with DORA Poses Serious Risks

With DORA now fully in force, firms that remain non-compliant face regulatory scrutiny, financial penalties, and reputational damage. The Skillcast report underscores that many organisations still have work to do – but there is still time to rectify compliance gaps before enforcement actions escalate.

At AJC, we help financial firms navigate the complexities of DORA compliance, ensuring they have the right frameworks, policies, and resilience measures in place. If your organisation is still unsure of its compliance status, now is the time to act.

Get in touch with AJC today to discuss how we can support your organisation’s DORA compliance journey. Contact us on 020 7101 4861 email us info@ajollyconsulting.co.uk if you think we can help.