DORA Requirements for UK Firms: Frequently Asked Questions
The EU's Digital Operational Resilience Act entered into force on 17 January 2025, creating binding ICT risk management obligations for financial entities operating in the EU. UK firms have been asking the same questions since: are we in scope? How does DORA interact with FCA PS21/3? What do we actually need to do? This FAQ provides definitive answers to the most commonly asked questions from UK financial firms navigating DORA compliance.
DORA entered into force 17 January 2025. UK firms with EU branches, EU-regulated subsidiaries, or EU ICT relationships may be directly in scope — and all serious UK firms should align to its standards.
DORA Scope and Applicability
DORA applies to financial entities operating in the EU and to critical ICT third-party service providers regardless of where they are established. The five pillars:
- ICT risk management: Documented governance framework, risk assessment, and management policies
- ICT incident reporting: Classification and mandatory reporting of major ICT incidents to regulators
- Digital operational resilience testing: Including TLPT for significant entities
- ICT third-party risk management: Register, oversight, contractual requirements, and concentration risk assessment
- Information sharing: Voluntary sharing of cyber threat intelligence between financial entities
Frequently Asked Questions
Is my UK firm in scope for DORA if we have no EU operations?
If your firm has no EU operations (no EU branch, no EU-regulated subsidiary, and provides no services into the EU), you are not directly in scope for DORA as a financial entity. However, if you use ICT service providers that are in scope of DORA — for example, a major cloud provider that ESMA has designated as a critical ICT third-party service provider — those providers must comply with DORA requirements that may affect the services they provide to you. Additionally, the FCA has signalled it expects UK firms to adopt equivalent resilience standards to DORA under PS21/3, making DORA compliance relevant to all serious UK financial firms whether or not they have direct EU exposure.
My firm has an EU branch — what do we need to do?
If your firm has an EU branch, the EU-regulated entity (the branch or subsidiary) is directly in scope for DORA. You need to: (1) identify which DORA obligations fall on the EU entity and which are group-level; (2) assess whether your current ICT risk management framework meets DORA's five pillars; (3) review and update contracts with ICT third-party providers to include DORA-required provisions; (4) establish or update your incident classification and reporting procedures for the EU entity; and (5) plan for DORA's resilience testing requirements. Group-level ICT policies that govern the EU entity must be DORA-compliant.
How does DORA interact with the FCA's PS21/3 operational resilience framework?
DORA and PS21/3 address similar objectives — operational resilience — but through different mechanisms. PS21/3 focuses on important business services and impact tolerances; DORA focuses on ICT risk management and third-party risk. The frameworks are complementary rather than identical. For firms subject to both, the practical approach is to build a unified resilience programme that satisfies both frameworks — where DORA and PS21/3 requirements overlap, one set of evidence typically satisfies both; where they diverge, supplementary work is needed. DORA's ICT third-party requirements are generally more prescriptive than PS21/3's outsourcing guidance.
What are DORA's ICT third-party contractual requirements?
DORA Article 30 requires specific provisions in contracts with ICT third-party service providers: clear description of services and service levels; incident notification obligations (the provider must notify the financial entity of ICT incidents); security standards and data processing obligations; right to audit; business continuity provisions; data access and portability requirements; and exit strategy provisions. UK firms with EU exposure must review all material ICT contracts against these requirements and negotiate amendments where gaps exist. This is one of the more time-consuming aspects of DORA implementation.
What is DORA's threat-led penetration testing (TLPT) requirement?
DORA Article 26 requires "significant" financial entities to conduct TLPT at least every three years. Significance is determined by size, systemic importance, and risk profile — not all firms are subject to TLPT. TLPT is intelligence-led penetration testing that simulates real attack scenarios against live production systems using threat intelligence briefings. It is significantly more sophisticated than annual penetration testing. In the UK, the NCSC and Bank of England's CBEST framework is equivalent. Firms subject to TLPT should engage with their lead EU regulator and accredited TLPT providers to plan their testing programme.
Get a DORA gap assessment for your firm
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.