DORA and UK Financial Services: What Firms With EU Operations Must Do Now
The EU's Digital Operational Resilience Act (DORA) entered into force on 17 January 2025, creating binding ICT risk management, incident reporting, and third-party oversight obligations for financial entities operating in the EU — and for their ICT service providers, regardless of where those providers are based. UK-headquartered firms with EU branches, EU-regulated subsidiaries, or EU clients are in scope. The FCA has signalled it expects equivalent resilience standards under PS21/3, making DORA compliance relevant to every serious UK financial firm whether or not they have direct EU exposure.
DORA entered into force on 17 January 2025 — UK firms with EU operations or EU ICT providers are in scope from day one.
Which UK Firms Are Directly in Scope of DORA
DORA applies to financial entities operating in the EU and to their critical ICT third-party service providers. UK firms are in scope if:
- They operate a branch or subsidiary regulated in an EU member state
- They provide services to EU-regulated financial entities as a critical ICT provider (cloud, data, software)
- They are part of a group that includes EU-regulated entities — group-level ICT policies must be DORA-compliant
- They use EU-based cloud or data providers who are themselves under DORA oversight
What DORA Requires — The Five Pillars
DORA is structured around five areas that map closely to — but in some cases exceed — FCA PS21/3 requirements:
- ICT Risk Management: Documented framework identifying, classifying, and managing all ICT risks; board-level accountability
- ICT Incident Reporting: Classification of incidents by severity; major incidents reported to competent authority within 4 hours of classification and full report within 72 hours
- Digital Operational Resilience Testing: Annual threat-led penetration testing (TLPT) for significant firms; vulnerability assessments for all
- ICT Third-Party Risk: Register of all ICT contracts; mandatory contractual provisions with providers; supervisory oversight of critical third-party providers
- Information Sharing: Financial entities encouraged to share cyber threat intelligence through information-sharing arrangements
How FCA PS21/3 and DORA Align — and Where They Diverge
The FCA has acknowledged that DORA and PS21/3 share common principles: identifying important business services, setting tolerances, testing resilience, and evidencing recovery capability. However, DORA goes further in three areas. First, its incident classification and reporting timelines are more prescriptive (4 hours vs. FCA's reasonable promptness standard). Second, DORA mandates detailed contractual provisions in ICT supplier contracts — exit rights, audit access, SLA specifications. Third, DORA requires a formal register of all ICT third-party relationships, reviewed annually. Firms preparing for DORA compliance will find their FCA obligations satisfied as a by-product.
How Panorays Supports DORA Third-Party Compliance
DORA's most operationally demanding requirement for most firms is the ICT third-party risk framework: maintaining a live register, conducting due diligence, and monitoring providers continuously. Panorays automates exactly this — scanning your vendors' external-facing security posture, tracking changes, and generating the documented evidence of oversight that DORA requires. For firms that currently manage vendor risk through annual questionnaires, Panorays replaces that inadequate process with continuous monitoring and structured risk scoring.
Frequently Asked Questions
Does DORA apply to UK firms that have no EU presence?
UK firms with no EU-regulated entities, no EU clients, and no role as ICT providers to EU financial entities are not directly subject to DORA. However, the FCA has signalled convergence between PS21/3 and DORA principles. Firms that build DORA-equivalent resilience programmes will be demonstrably compliant with FCA expectations — and better positioned if the FCA formally adopts DORA-equivalent standards.
What are the penalties for DORA non-compliance?
DORA penalties are set by each EU member state's competent authority. For critical ICT third-party providers, fines can reach 1% of global average daily turnover, applied daily until compliance is achieved. For financial entities, penalties are determined under existing national supervisory frameworks — in practice, FCA-equivalent consequences for UK-regulated entities operating in the EU.
How long does DORA compliance take to implement?
The ICT risk management framework and incident reporting processes typically take 3–6 months for a mid-size firm starting from a documented PS21/3 baseline. Third-party risk management and the ICT contract register are the most time-consuming elements — firms with many undocumented vendor relationships should begin immediately. DORA has been in force since January 2025, so there is no implementation grace period remaining.
Assess your DORA and PS21/3 readiness
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.