DORA and UK firms: what the EU regulation means for your operations
The EU Digital Operational Resilience Act (DORA), which applied from 17 January 2025, imposes a comprehensive ICT risk management framework on financial entities operating within the EU. While DORA is an EU instrument and does not directly apply to UK-only entities, UK-headquartered financial firms with EU-regulated subsidiaries, branches, or significant third-country firm designations are firmly within scope. For many large UK financial groups, DORA creates a parallel compliance obligation that runs alongside the FCA and PRA's domestic operational resilience framework — and the two frameworks, while conceptually aligned, differ significantly in their technical requirements.
DORA's scope covers a broad range of financial entities including credit institutions, investment firms, insurance and reinsurance undertakings, payment institutions, e-money institutions, and fund managers. It also brings critical ICT third-party service providers (CTPPs) — primarily large cloud providers and data analytics firms — under direct EU supervision for the first time. UK firms that provide ICT services to EU financial entities may themselves be designated as CTPPs and subject to oversight by the joint supervisory team constituted by the ESAs. This is a significant extraterritorial element that UK firms in the technology-for-finance sector need to assess carefully.
The five pillars of DORA — ICT risk management, ICT incident classification and reporting, digital operational resilience testing, ICT third-party risk management, and information sharing — each impose specific obligations. On incident reporting, DORA requires classification of major ICT-related incidents and significant cyber threats, with initial notification to competent authorities within four hours of classification, intermediate reports within 72 hours, and final reports within one month. UK firms operating EU entities must ensure their incident management procedures can deliver these timelines, which are tighter than those currently applicable under the FCA's SUP 15 notifications regime for most incident types.
DORA's threat-led penetration testing (TLPT) requirement applies to significant financial entities (broadly those meeting systemic importance criteria) on a three-year cycle, using a framework based on TIBER-EU. The test must cover live production systems and must be conducted by certified external testers. For UK groups, the question of whether a TLPT conducted for an EU subsidiary also satisfies the FCA's CBEST expectations (where applicable) is a matter requiring early engagement with both regulators. There is alignment in philosophy but not in the precise technical standards.
UK divergence and gap analysis
UK firms with EU operations should map their existing FCA/PRA operational resilience and ICT risk documentation against DORA's requirements, identify gaps — particularly in ICT register maintenance, concentration risk reporting, and CTPP contractual requirements — and develop a remediation plan. Firms that have already invested heavily in compliance with the FCA's operational resilience framework will have a head start, but should not assume equivalence without a structured gap analysis.