DORA Compliance

DORA applies to UK financial institutions through multiple mechanisms despite Brexit. UK firms with EU subsidiaries or branches must achieve DORA compliance for those EU operations — Brexit does not exempt EU subsidiaries or branches from EU financial regulation. UK firms serving EU clients through regulatory equivalence, third-country licensing, or local authorisations must demonstrate DORA-compliant ICT operational resilience to EU supervisory authorities. UK ICT third-party service providers designated as critical under DORA Article 31 face direct supervisory oversight regardless of location — UK cloud providers, payment processors, and fintech platforms serving EU banks fall under DORA oversight even as non-EU entities. UK firms planning EU market entry must also demonstrate DORA compliance as a prerequisite for authorisation. Even firms without a direct regulatory obligation face commercial pressure: EU clients increasingly mandate DORA-equivalent ICT resilience in vendor contracts, and RFPs specify DORA alignment as a selection criterion. Most UK financial institutions with any EU exposure should assume DORA applicability and conduct a gap analysis. UK firms should consult legal counsel on specific obligations rather than assuming Brexit exemption.

DORA applies to all EU financial entities: credit institutions (banks), payment institutions, electronic money institutions, investment firms, crypto-asset service providers, insurance and reinsurance undertakings, central securities depositories, and critical ICT third-party service providers. Non-EU firms with EU operations or clients may also fall within scope. The regulation is effective from January 17, 2025, with mandatory compliance for all in-scope entities.

The Digital Operational Resilience Act establishes 5 key pillars: (1) ICT Risk Management: governance frameworks, risk identification, and protection measures; (2) ICT-Related Incident Reporting: classification and 24-hour reporting of major incidents to regulators; (3) Digital Operational Resilience Testing: vulnerability assessments, scenario testing, and TLPT every 3 years; (4) Third-Party ICT Risk Management: vendor oversight, contractual obligations, exit strategies; (5) Information Sharing: threat intelligence exchange among financial entities.

Threat-Led Penetration Testing (TLPT) is mandatory every 3 years for entities identified as critical or important under DORA. TLPT follows TIBER-EU methodology: intelligence-led threat scenarios based on real adversary tactics, controlled exploitation of vulnerabilities without causing operational disruption, testing of detection and response capabilities, and validation of recovery procedures. Tests must be conducted by independent testers with appropriate financial sector expertise.

Major ICT-related incidents must be reported to competent authorities within 24 hours of classification. This initial notification includes incident classification, estimated impact, and preliminary indicators of compromise. An intermediate report is required within 72 hours with updated impact assessment and remediation progress. A final report is due within 1 month, including root cause analysis, lessons learned, and preventive measures. Significant cyber threats must also be reported when detected.

DORA imposes strict requirements on third-party ICT service provider arrangements. All contracts must include DORA-specific obligations: right to audit, data access and portability provisions, notification requirements for incidents and changes, exit strategies with defined timelines, and sub-contracting limitations. Financial entities must maintain a register of all ICT third-party providers, assess concentration risk from using common suppliers, and implement alternative solutions to avoid vendor lock-in for critical services.

DORA violations can result in significant penalties: up to €10 million or 2% of total annual worldwide turnover for the preceding business year (whichever is higher) for legal persons. Natural persons (individuals) face fines up to €1 million. Additional sanctions include public warnings, temporary bans on activities, withdrawal of authorisations, and personal liability for management bodies. Supervisory authorities may also impose periodic penalty payments to compel compliance and remediation.