Although the Digital Operational Resilience Act (DORA) is an EU regulation, its influence will extend beyond EU borders—particularly into the UK financial sector. Given the UK’s strong financial ties with Europe, many firms operating in or interacting with EU markets will need to align with DORA’s standards to ensure continued business relationships and regulatory compliance.
UK-based financial institutions and ICT providers serving EU clients will need to demonstrate compliance not just to safeguard their market position but also to maintain trust with regulators, partners and customers. Even those without a physical EU presence could find themselves affected if they offer cross-border services or manage supply chains connected to Europe.
Although compliance became mandatory on 17 January 2025, a Censuswide survey revealed that 43% of UK financial services organisations are still in the early stages of getting to grips with DORA—and anticipate being non-compliant for at least three more months, increasing their exposure to potential regulatory penalties.
It depends. The scope of entities covered under DORA is very broad. Businesses from small to large that offer critical services to the EU financial sector are governed by the regulation.
Requirements vary depending on the size and risk profile of the company. For instance, a microbusiness (less than 10 employees) must access its risk management frameworks on occasion as needed and not yearly. In addition to periodic risk framework reviews, DORA offers another concession to microbusinesses by allowing more flexibility in resilience testing. Specifically, Article 25 of DORA permits microbusinesses to adopt a more tailored, risk-based approach for their ICT testing. This means they can allocate resources and time based on the urgency and criticality of their operations rather than adhering strictly to rigid testing schedules. This flexibility aims to ensure that smaller firms maintain operational resilience without being overburdened by regulatory requirements designed for larger entities.
It is important to note that while microbusinesses are subject to reduced requirements, they are still expected to manage third-party risks effectively, especially if they provide services to larger financial institutions. This underscores the interconnected nature of operational resilience under DORA and the need for even smaller firms to stay aligned with broader ecosystem expectations.
DORA aligns with several aspects of existing UK operational resilience frameworks, such as the FCA’s PS21/3. You can leverage your existing efforts, including simulated attack – threat-led testing, dependency mapping, and identifying important business services as a foundation for DORA compliance.
However, meeting UK standards alone does not guarantee full compliance with DORA. If your organisation falls under DORA’s scope, it’s essential to understand the overview of the regulation and conduct a gap analysis to identify areas requiring additional focus.
Is a Future UK Version of DORA Likely? Yes, a future UK version of the DORA (Digital Operational Resilience Act) is likely. Given the UK’s focus on enhancing digital resilience in its financial sector, regulators may adopt similar frameworks to address operational risks associated with technology and cyber threats. This would align with broader efforts to ensure that financial institutions can effectively manage disruptions and maintain stability. Keep an eye on regulatory updates for more specific developments on the FCA’s website.
In this section, we’ll explore the main changes for UK firms, including enhanced resilience expectations, cross-border DORA compliance challenges and new reporting obligations. Beyond compliance, these changes also present strategic opportunities to strengthen business continuity, build trust and gain a competitive edge.
For UK-based firms, DORA will introduce a renewed emphasis on operational resilience. Many financial institutions already follow the UK’s Financial Conduct Authority (FCA) requirements on operational resilience, but DORA introduces more detailed ICT-specific obligations.
Changes for UK Firms:
For firms operating across the EU and UK, DORA will act as a framework for harmonising compliance efforts. While the UK has its own operational resilience regulations, firms with operations in both regions must align with both DORA and FCA requirements to remain compliant and avoid disruptions.
What to Expect:
DORA places significant responsibility on financial institutions to monitor third-party ICT providers, which will require UK firms to tighten their outsourcing policies and review vendor contracts.
Impact on UK Firms:
To get ahead of third-party risk, check out our DORA Compliance Services.
Under DORA, firms are required to report major ICT-related incidents to regulators within tight timeframes, a process that UK firms dealing with the EU market will need to adopt. Failing to comply with these reporting obligations can result in hefty fines and reputational damage.
Reporting Requirements:
While DORA introduces new regulatory burdens, it also offers UK firms the chance to build trust, resilience and competitive advantage. Firms that proactively adopt DORA practices will benefit from greater operational stability and customer confidence in the long term.
Opportunities Include:
Failure to align with DORA’s standards could result in disruptions, reputational damage, and strained business relationships, making early preparation essential. Ensure you are familiar with the timeline for compliance. See all the key deadlines in our comprehensive overview of the Digital Operational Resilience Act.
Sam Raven, Risk Consultant and ISA at Risk Crew, emphasises the importance of operational resilience. “DORA reshapes the European financial landscape, UK firms can stay ahead by implementing resilient ICT frameworks. Compliance with both FCA and DORA requirements will not only protect your operations but also foster customer trust and business growth.”
Developing a well-structured compliance roadmap is essential to get started with achieving and maintaining your organisation’s operational resilience. This roadmap serves as a strategic guide, helping you break down complex regulatory requirements into manageable steps. It outlines main activities such as ICT risk assessments, incident management processes, third-party vendor evaluations and ongoing monitoring practices. A clear plan ensures that compliance efforts align with available resources and timelines, preventing last-minute rushes and inefficiencies.
The roadmap helps prioritise critical areas like vulnerability testing, incident reporting, and cyber security enhancements, ensuring your organisation stays ahead of potential disruptions.
This proactive approach not only ensures long-term operational stability but also positions your organisation as a resilient and trustworthy player in an increasingly interconnected financial ecosystem.
Read what Risk Crew recommends for your DORA compliance roadmap outline.
Introducing ISO 42001 – the world’s first international management system standard focused specifically on AI.…
Data breaches and cyberattacks have become daily concerns for information security professionals and business leaders.…
It is an undeniable fact that all applications and infrastructures are essentially in need of…
