DORA Compliance: What UK Financial Firms Need to Know Now

What Is DORA?

DORA (Regulation (EU) 2022/2554) creates a unified framework for digital operational resilience across EU financial services. It addresses the increasing reliance on ICT systems and the systemic risks posed by third-party technology providers.

Who Does DORA Apply To?

DORA applies to a broad range of financial entities:

• Credit institutions and payment institutions
• Investment firms and trading venues
• Insurance and reinsurance undertakings
• Asset managers and fund administrators
• Crypto-asset service providers
• Critical ICT third-party service providers

UK Relevance Post-Brexit

Although DORA is EU legislation, UK firms are affected in several ways:

• UK firms with EU subsidiaries or branches
• UK firms providing services to EU clients
• UK ICT providers serving EU financial entities
• Potential UK equivalence requirements

The FCA and PRA have indicated they are monitoring DORA and may introduce similar requirements for UK-only firms.

Five Pillars of DORA

1. ICT Risk Management

Financial entities must establish comprehensive ICT risk management frameworks:

• Board-level accountability for ICT risk
• ICT risk management strategy and policies
• Business continuity and disaster recovery plans
• Learning and evolving from incidents

2. ICT-Related Incident Reporting

Major ICT-related incidents must be reported to competent authorities:

• Classification criteria for major incidents
• Initial notification within 4 hours of classification
• Intermediate report within 72 hours
• Final report within one month

3. Digital Operational Resilience Testing

Regular testing of ICT systems and controls is mandatory:

• Basic testing: vulnerability assessments, network security testing
• Advanced testing: threat-led penetration testing (TLPT) for significant entities
• Testing of ICT third-party providers
• Remediation of identified vulnerabilities

4. ICT Third-Party Risk Management

Comprehensive requirements for managing ICT service providers:

• Register of all ICT third-party arrangements
• Due diligence before engagement
• Contractual requirements (exit strategies, audit rights, security)
• Ongoing monitoring and oversight

5. Information Sharing

DORA encourages voluntary sharing of cyber threat intelligence:

• Participation in threat intelligence sharing arrangements
• Notification to authorities of participation
• Protection of shared information

Critical ICT Third-Party Providers

DORA introduces direct oversight of critical ICT third-party providers (CTPPs) by European Supervisory Authorities. Designation criteria include:

• Systemic importance to financial entities
• Degree of substitutability
• Number and type of financial entities served

Major cloud providers and technology vendors serving multiple financial institutions are likely to be designated as CTPPs.

Implementation Priorities

Immediate Actions

• Assess applicability and scope
• Gap analysis against DORA requirements
• Board briefing on obligations and risks
• ICT third-party register compilation

Medium-Term Actions

• ICT risk management framework enhancement
• Incident reporting process updates
• Contract renegotiation with ICT providers
• Testing programme development

Relationship with Existing UK Requirements

UK firms already subject to FCA/PRA operational resilience requirements will find overlap with DORA, but also gaps:

• UK focuses on important business services; DORA on ICT systems
• DORA has more prescriptive third-party requirements
• Incident reporting timelines differ
• DORA includes direct oversight of critical providers

Conclusion

DORA represents a significant regulatory development for financial services ICT risk management. UK firms with EU exposure must ensure compliance, while UK-only firms should monitor for potential domestic equivalents.

The comprehensive nature of DORA—covering risk management, incident reporting, testing, and third-party oversight—requires a coordinated approach across technology, risk, and compliance functions.