- 1 DORA has direct scope for many UK-headquartered and EU-connected financial services firms
- 2 Supply chain and client-driven requirements mean the indirect impact is broader than direct scope alone
- 3 UK domestic regulation is moving in the same direction — DORA readiness is relevant even where direct scope does not apply
DORA — the Digital Operational Resilience Act — has been described in various contexts as an EU-only concern, as a financial services regulation, and as something that UK firms left behind along with the rest of EU law after Brexit. All three of those descriptions miss important parts of the picture.
The reality is that DORA’s practical impact on UK businesses is more significant and more immediate than many organisations have assumed. Understanding that impact requires a clear view of three separate questions: who falls directly within the regulation’s scope, who is affected through supply chain and commercial relationships, and whether UK domestic regulatory expectations are moving in a direction that makes DORA-aligned preparation valuable regardless of formal scope.
What DORA actually is
The Digital Operational Resilience Act is EU regulation that came into full application on 17 January 2025. Its stated purpose is to ensure that financial entities can withstand, respond to, and recover from all types of ICT-related disruptions and threats. The European Commission describes it as a harmonisation of digital resilience requirements across the EU financial sector — replacing a patchwork of sector-specific rules with a comprehensive framework.
The regulation establishes requirements across five areas: ICT risk management, ICT-related incident management and reporting, digital operational resilience testing, ICT third-party risk management, and information-sharing arrangements.
The intent is explicitly governance-focused. The regulation does not primarily specify which technologies financial entities should use or which security products they should deploy. It specifies how they should manage technology risk — with clear ownership, structured processes, consistent evidence, and demonstrable accountability at senior management level.
Who falls within direct scope
The regulation applies to a defined list of financial entities — including credit institutions, payment institutions, insurance and reinsurance undertakings, investment firms, crypto-asset service providers, and a range of other financial and financial-adjacent entities operating within the EU. ICT third-party service providers supplying services to in-scope entities are also captured where their services are considered critical or important.
For UK firms, the immediate question is whether they have EU-regulated operations, subsidiaries, or branches that fall within the regulatory scope. Many do. UK-headquartered financial services groups with European operating entities are subject to DORA in respect of those entities, and the requirement to ensure compliance across the group often creates de facto DORA requirements for the UK parent entity in terms of governance, risk management, and reporting consistency.
UK technology companies and service providers supplying services to EU-regulated financial institutions may also fall within scope as ICT third-party service providers, depending on the classification of the services they provide. This is an area where scope analysis can be complex and where early legal review is valuable.
The indirect impact: supply chain and client requirements
Even where direct scope does not apply, the commercial impact of DORA on UK businesses is real and growing.
EU-regulated financial institutions are required under DORA to manage their ICT third-party risk — including through contractual requirements, risk assessments, and ongoing monitoring. Many of those institutions are already flowing those requirements down to their UK technology and services suppliers through revised commercial agreements, due diligence questionnaires, and procurement processes.
The practical consequence is that UK businesses supplying services to EU-regulated clients are increasingly being asked to demonstrate operational resilience, incident management capability, and security governance that aligns with DORA’s expectations. Where those expectations cannot be met, the commercial relationship is at risk.
This is the mechanism by which DORA’s reach extends well beyond its formal scope. Clients do not need their suppliers to be directly regulated by DORA. They need their suppliers to meet the standards that DORA requires of them as part of their third-party risk management obligation.
What the UK regulatory direction means
The UK financial regulators — primarily the FCA and the Prudential Regulation Authority, alongside the Bank of England for systemically important firms — have developed their own operational resilience framework that has significant alignment with DORA’s principles.
The FCA’s operational resilience rules, which came into full force in March 2022, require in-scope UK firms to identify their important business services, set impact tolerances, test their ability to remain within those tolerances under disruption scenarios, and demonstrate evidence of their resilience capabilities. The Bank of England and PRA have issued parallel requirements for the firms they supervise.
The philosophical alignment between the UK framework and DORA is not coincidental. Both reflect the same regulatory concern: that financial services organisations have become highly dependent on complex, interconnected technology systems, and that the governance around those dependencies has not kept pace with the risk they create.
The UK framework is not identical to DORA. There are meaningful differences in scope, thresholds, and specific requirements. But the direction is consistent, and the businesses that invest in the governance capabilities that DORA and the UK framework jointly require are building resilience that is valuable regardless of which regulatory regime applies.
The five practical areas that require attention
For businesses assessing their DORA exposure or building toward DORA-aligned resilience, the five areas of the regulation each have practical implications.
ICT risk management requires a structured, documented approach to managing technology risk at a business level — not as an IT matter, but as a business resilience matter with senior management ownership and oversight. For many mid-market firms, this represents a shift from reactive incident management to proactive risk governance.
Incident management and reporting requires clear processes for identifying, classifying, and escalating significant ICT incidents. The regulation specifies timelines and formats for major incident reporting that go beyond what most organisations currently maintain.
Resilience testing requires organisations to regularly test their ability to maintain operations under disruption conditions. For larger or more systemically important entities, this includes threat-led penetration testing. For others, the requirements are more proportionate but still substantive.
Third-party risk management requires a documented approach to managing ICT supplier relationships — including a supplier register, risk classification, contractual requirements, and ongoing monitoring. This is an area where most organisations have significant work to do.
Information sharing, the fifth pillar, relates to participation in threat intelligence sharing arrangements. This is often the most straightforward component for well-governed organisations.
Relevant service CTA: Compliance & Operational Resilience Advisory — senior support to assess DORA readiness, close governance gaps, and build the structures that regulators and clients are increasingly expecting.
Related posts: ISO 27001 Readiness: What to Fix Before You Start | What a Virtual CISO Actually Does | GDPR and AI: What Needs to Be in Place Before Deployment
Sources
European Commission – Digital Operational Resilience Act (DORA)
FCA – Operational resilience Bank of England – Operational resilience policy