In today’s financial sector, technology underpins nearly every process — from payments and trading to customer service and risk management. But with this reliance comes significant exposure to cyberattacks, IT failures, and third-party service disruptions. The Digital Operational Resilience Act (DORA) is the EU’s regulatory response, designed to strengthen the sector’s ability to withstand digital shocks.

While the UK is no longer an EU member, DORA cannot be ignored. Many UK firms operate across borders or provide ICT services to European financial institutions, meaning DORA will still apply in practice. This article explains what the legislation covers, how it interacts with UK regulation, and what UK financial services companies should do to prepare.

What Is the Digital Operational Resilience Act (DORA)?

DORA is an EU regulation adopted in 2022 that creates a single, harmonised framework for managing digital resilience across the financial sector. Because it is a regulation, it applies directly in all EU member states without needing national transposition. As Wikipedia’s summary of DORA explains, its primary goal is to ensure that banks, insurers, asset managers, and critical ICT providers can resist, respond to, and recover from ICT-related disruptions.

The regulation is structured around five key pillars:

• ICT risk management: financial firms must implement a robust ICT risk management framework, covering the entire lifecycle of ICT assets.
• Incident reporting: major ICT-related incidents must be classified and reported to regulators within strict timelines.
• Resilience testing: entities must perform regular testing, including advanced threat-led penetration tests.
• Third-party risk management: outsourcing to ICT providers must be governed by strict contractual and oversight requirements.
• Information sharing: firms are encouraged to exchange threat intelligence and cooperate on resilience initiatives.

The regulation entered into force on 16 January 2023 and will apply in full from January 2025, giving firms two years to align their practices.

Does DORA Apply to the UK Post-Brexit?

Strictly speaking, DORA is EU law and therefore does not automatically apply in the UK. However, its extraterritorial reach means UK firms may still be caught if they provide services to EU clients. For example, a UK-based ICT provider that supports an EU bank’s core systems could fall under DORA’s third-party obligations.

As Greenberg Traurig explains, DORA directly impacts non-EU firms offering critical ICT services into the bloc. UK financial institutions operating in the EU will also need to comply.

Meanwhile, the UK has its own frameworks. The FCA, PRA and Bank of England have established operational resilience requirements, focused on identifying important business services, setting impact tolerances, and ensuring continuity in severe but plausible scenarios. These rules are principle-based, whereas DORA is more prescriptive. As UK Finance notes, many UK firms will need to navigate both regimes simultaneously.

For a detailed breakdown of how the regulation’s technical standards affect UK entities, see Copla’s analysis: Implications, regulations and technical standards of DORA for UK entities.

Key Pillars of DORA — What UK Firms Should Know

ICT Risk Management
DORA requires firms to establish a comprehensive ICT risk framework, covering asset management, business continuity, recovery, and governance. Senior management must take responsibility for ICT resilience, embedding it at the strategic level.

Incident Reporting & Classification
Incidents must be detected, classified, and reported promptly. This represents a significant shift for UK firms that currently report only under certain thresholds. Under DORA, reporting deadlines are tight, often within hours of detection, and multiple follow-up reports may be required.

Resilience Testing
Firms will need to conduct scenario-based tests, vulnerability scans, and in some cases advanced threat-led penetration testing (TLPT) similar to the Bank of England’s CBEST framework. The objective is to prove systems can withstand sophisticated, real-world attacks.

Third-Party Risk Management
Perhaps the most disruptive pillar for UK firms is the regulation of ICT outsourcing. DORA imposes strict rules on contracts, requiring provisions on audit rights, access to data, and exit strategies. Some ICT providers may even be designated as “critical” and supervised directly by EU authorities. This could pull UK cloud or IT service providers into the regulatory net.

Information Sharing
While partly voluntary, DORA encourages firms to collaborate on sharing cyber threat intelligence, creating a more collective approach to resilience.

Implications for UK Financial Services

For UK firms, the implications are twofold. Directly, they may need to comply with DORA if they operate in EU markets or provide critical ICT services to EU institutions. Indirectly, they may be contractually bound by EU partners that flow DORA obligations down the supply chain.

Compliance will involve costs: gap assessments, system upgrades, staff training, and contractual renegotiations. But there are benefits too — firms that can demonstrate DORA compliance may gain a competitive edge, reassuring clients and regulators of their resilience.

Key Challenges for UK Firms

The road to compliance is not straightforward. Among the challenges are:

• Mapping existing UK frameworks to DORA’s prescriptive requirements
  Managing complex supply chains and subcontractors
• Running advanced resilience testing programs
• Reconciling EU and UK regimes without duplicating work
• Renegotiating supplier contracts to include new audit and exit provisions
• Embedding ICT risk management into governance at the board level

These are not minor adjustments; they require structural change and senior management buy-in.

Practical Steps Towards Compliance

UK firms can get ahead by taking the following actions: conduct a gap assessment against DORA requirements, map critical ICT dependencies, review and amend supplier contracts, strengthen incident detection and reporting workflows, and plan for resilience testing. Aligning these actions with the UK’s own resilience rules can reduce duplication.

Equally important is education. Business units and boards need to understand DORA’s impact and allocate resources early. By embedding digital resilience into strategy now, firms can avoid last-minute scrambles in 2025.

Looking Ahead

With the January 2025 deadline looming, European regulators will increase scrutiny, and technical standards will continue to evolve. At the same time, the UK is considering its own rules for critical third parties, which could create a parallel framework similar to DORA. Firms should expect growing convergence between EU and UK resilience regimes.

Ultimately, DORA should not be viewed solely as a compliance burden. Instead, it offers UK firms an opportunity to strengthen digital resilience, protect their reputation, and win client trust in a challenging cyber landscape.

Conclusion

DORA represents a step change in financial regulation, forcing firms to treat ICT resilience as strategically important as capital adequacy or liquidity. For UK businesses, ignoring DORA is not an option — the cross-border nature of finance and technology means exposure is likely, whether directly or indirectly.

By acting now — performing gap analyses, engaging suppliers, preparing incident workflows, and embedding resilience at the governance level — UK firms can not only meet regulatory expectations but also differentiate themselves. In a world where clients and regulators value operational continuity above all, DORA provides both a challenge and a roadmap for success.