Kyanite Blue
Compliance 8 min read

DORA Compliance for UK Financial Services: A Practical Guide

Max, Technical Director·10 March 2026

What DORA Is and Why It Exists

The Digital Operational Resilience Act (EU Regulation 2022/2554) came into force on 17 January 2025 across all EU member states. It was born from a recognition that financial services has become so dependent on ICT systems that a major technology failure or cyber attack could trigger systemic financial instability. Before DORA, ICT risk management in financial services was fragmented across multiple directives and national frameworks. DORA creates a single, harmonised framework covering ICT risk management, incident reporting, resilience testing, third-party risk management, and information sharing. It applies to virtually every type of financial entity: banks, insurers, investment firms, payment institutions, crypto-asset service providers, and critically, the ICT third-party service providers they depend on.

Why UK Firms Cannot Ignore an EU Regulation

DORA is EU legislation, but its reach extends firmly into the UK. Any UK financial services firm that operates in the EU, serves EU customers, or relies on EU-based ICT providers is affected. UK subsidiaries of EU financial groups must comply directly. More practically, EU-regulated counterparties will increasingly require DORA-equivalent assurances from UK firms they do business with — creating a market-driven compliance pressure even where the legal obligation is indirect. The FCA and PRA have their own operational resilience framework (PS21/3) which shares DORA's philosophy but differs in specifics. UK firms with EU exposure effectively need to satisfy both regimes, and aligning with DORA's more prescriptive requirements generally achieves PS21/3 compliance as well.

The Five Pillars of DORA

DORA is structured around five core pillars that together create a comprehensive operational resilience framework. Each pillar has specific requirements that financial entities must implement proportionate to their size, risk profile, and the complexity of their ICT systems. The framework is deliberately prescriptive compared to previous principles-based approaches — DORA specifies not just what firms must achieve but how they must demonstrate it. The European Supervisory Authorities (EBA, ESMA, EIOPA) have published Regulatory Technical Standards adding further detail to each pillar.

  • ICT Risk Management: documented framework, risk identification, protection measures, detection capabilities, response and recovery plans
  • ICT Incident Reporting: classification taxonomy, 4-hour initial notification for major incidents, intermediate and final reports
  • Digital Operational Resilience Testing: annual basic testing, threat-led penetration testing (TLPT) every 3 years for significant entities
  • ICT Third-Party Risk Management: pre-contract due diligence, contractual requirements, ongoing monitoring, exit strategies, register of all ICT third-party arrangements
  • Information Sharing: voluntary cyber threat intelligence sharing between financial entities

ICT Third-Party Risk: The Most Challenging Pillar

For most financial services firms, the third-party risk management pillar presents the greatest implementation challenge. DORA requires firms to maintain a complete register of all ICT third-party arrangements, including sub-outsourcing chains. Each arrangement must be risk-assessed, and contracts must include specific DORA-mandated clauses covering audit rights, data location, incident notification, and exit planning. Critical or important ICT providers are subject to enhanced oversight including on-site inspections. The practical challenge is enormous: a mid-sized bank might have hundreds of ICT supplier relationships, many established years ago on contracts that predate DORA. Renegotiating these contracts, establishing monitoring processes, and building exit strategies for critical providers represents a multi-year programme of work. Tools like Panorays can automate the continuous monitoring of third-party security posture, but the contractual and governance work requires dedicated human effort.

Building a DORA Compliance Programme

Start with a gap analysis against each of the five pillars, prioritising ICT risk management and third-party risk as the areas most likely to require significant work. Map your ICT landscape comprehensively — you cannot manage risk you have not identified. Establish your incident classification taxonomy early, as the 4-hour notification window for major incidents leaves no time for ad-hoc decision-making. For resilience testing, build on existing penetration testing programmes but ensure they meet DORA's specific methodology requirements, particularly for TLPT. Most importantly, ensure board-level engagement from the outset. DORA explicitly requires the management body to approve and oversee the ICT risk management framework — this is not an IT project, it is a board governance obligation.

Frequently Asked Questions

Does DORA apply to UK financial services firms?

DORA is EU legislation, but it affects UK firms that operate in the EU, serve EU customers, or rely on EU-based ICT providers. UK subsidiaries of EU financial groups must comply directly. EU counterparties also increasingly require DORA-equivalent assurances from UK partners, creating market-driven compliance pressure.

What is the DORA incident reporting timeline?

Major ICT incidents must be reported with an initial notification within 4 hours of classification, an intermediate report within 72 hours, and a final report within one month. The classification criteria are defined in Regulatory Technical Standards published by the European Supervisory Authorities.

How does DORA differ from the FCA/PRA operational resilience framework?

The FCA/PRA framework (PS21/3) focuses on important business services and impact tolerances, while DORA takes a broader ICT risk management approach with prescriptive requirements across five pillars. DORA is more detailed on third-party risk and incident reporting. Firms with EU exposure generally need to satisfy both, with DORA compliance typically covering PS21/3 requirements.

What are the penalties for DORA non-compliance?

EU member state competent authorities set specific penalties. DORA allows for administrative penalties and remedial measures including public statements, orders to cease conduct, and pecuniary penalties. For critical ICT third-party providers, the lead overseer can impose periodic penalty payments of up to 1% of average daily worldwide turnover.

dorafinancial servicescomplianceoperational resilienceict risk

Related articles

Guides

5 Cybersecurity Priorities for UK Businesses in 2026

The threat landscape is shifting faster than most UK businesses can adapt. Here are the five cybersecurity priorities that should be on every board agenda in 2026.

Industry

Why iGaming Operators Are Prime Targets for Cyber Attacks

iGaming operators process millions in daily transactions and hold vast quantities of player PII. MGA-licensed operators face specific cybersecurity requirements — and the consequences of failure are existential.

Guides

Presenting Cybersecurity Spend to the Board: An ROI Framework

The board does not want to hear about threat actors and attack vectors. They want to understand risk in financial terms. Here is how to present cybersecurity spend as a business investment, not a cost centre.

Want to discuss this with our team?

Book a free 20-minute call with David or Max.

Book a call
Back to all posts