With the EU’s Digital Operational Resilience Act (DORA) now in full effect, a new report has warned that financially regulated sub-sectors in the UK are failing to adequately safeguard systems against cyber threats – placing firms at significant risk of non-compliance.
The ‘DORA Readiness Report’, by compliance training provider Skillcast, analysed over 270 leading UK companies in nine financially regulated sub-sectors, considering key factors directly related to DORA – including regulatory compliance, cybersecurity, and operational resilience. Each sub-sector was then assigned a weighted index score out of 105 to gauge readiness for DORA compliance.
The report highlights a severe gap in cybersecurity resilience, revealing that nearly two in five (37%) of the total complaints reported to the Information Commissioner’s Office (ICO) were cybersecurity incidents.
This comes as the report reveals three-quarters of the firms analysed have operations in the EU, yet only 16% are registered to Cyber Essentials Plus – a government-backed certification directly aligned with DORA’s objectives on strengthening operational resilience.
The findings are underscored by the increasing sophistication of cybercrime, as seen in the recent case of UK engineering Arup. The company lost $25 million to fraudsters after AI was used to digitally clone a senior manager – in what is the world’s biggest known deepfake scam.
UK businesses are estimated to have lost £44 billion in revenue to cybercrime over the past five years, while 54% of global financial institutions reported attacks in 2024, resulting in stolen or destroyed data.
Among the sub-sectors analysed, corporate and specialist services emerged as the most prepared for DORA, with a maximum index score of 105. The sub-sector reported just two cybersecurity incidents and no FCA fines or complaints over the past two years, while also leading in Cyber Essentials Plus adoption – with triple the number of registered firms compared to the least prepared sub-sector.
Conversely, banking and lending scored just 37 out of 105, marking these firms most at risk of non-compliance with DORA. Between 2023 and 2024, firms in this sub-sector incurred seven FCA fines totalling over £96 million, highlighting a serious pattern of non-compliance.
Elsewhere, the insurance and risk management (66), investments and wealth management (63), and financial transaction processing (55) sub-sectors ranked among the least prepared for DORA compliance, rounding out the bottom four.
Financial transaction processing sub-sector was found to be the most vulnerable to cyber threats, with three-quarters of its ICO complaints classified as cybersecurity incidents.
With global firms such as Mastercard, Monzo and Revolut operating within this space, the findings underscore the urgent need for stronger cybersecurity and operational resilience – particularly as failure to comply with DORA could result in severe financial penalties.
DORA Readiness Index
| DORA Readiness Index | |
| Sub-Sector | Index Score |
| Corporate and Specialist Services | 105 |
| Property and Real Estate Finance | 99 |
| Capital Markets and Trading | 89 |
| Pensions and Retirement Planning | 79 |
| Fintech and Technology | 75 |
| Insurance and Risk Management | 66 |
| Investments and Wealth Management | 63 |
| Financial Transaction Processing | 55 |
| Banking and Lending | 37 |
Vivek Dodd, CEO at Skillcast, commented:
“Compliance with the Digital Operational Resilience Act (DORA) should be a priority for any business with operations in the EU, not just those in financially regulated sub-sectors. Firms must be looking to strengthen risk management and cybersecurity resilience – not only to avoid financial and reputational penalties but to safeguard their assets in the long term.
“Our ‘DORA Readiness Report’ reveals that while UK financial firms meet basic operational standards, many are in fact failing to adequately protect their systems, with evident weaknesses in existing operational infrastructures. The banking and lending and financial transaction processing sub-sectors, in particular, are at a high risk of non-compliance, leaving them exposed to increasingly sophisticated attacks and regulatory scrutiny.
“To stay resilient, businesses must move beyond compliance checkboxes and invest in comprehensive risk management frameworks – from real-time incident monitoring to rigorous testing. Employee awareness is also fundamental, as role-specific DORA compliance training can bridge resilience gaps to ensure teams are best equipped to handle critical functions and effectively carry out recovery measures for business continuity in the long-term.”
