DORA Operational Resilience: A Practical Guide for UK Firms

The Digital Operational Resilience Act (DORA) entered into force in January 2025, and its requirements are now directly applicable to financial entities operating within the EU. For UK-authorised firms with EU operations, EU-domiciled clients, or third-party relationships with EU-regulated entities, understanding DORA is no longer optional.

DORA establishes a comprehensive framework for digital operational resilience covering five pillars: ICT risk management, ICT-related incident management and reporting, digital operational resilience testing, management of ICT third-party risk, and information sharing arrangements.

For many mid-tier firms, the ICT third-party risk management requirements will be the most challenging to implement. DORA requires detailed registers of all ICT third-party service providers, including cloud providers, data vendors, and software suppliers. It mandates specific contractual provisions and gives European Supervisory Authorities the power to designate certain providers as "critical" — subject to direct regulatory oversight.

The incident reporting requirements are also significant. DORA mandates reporting of major ICT-related incidents to competent authorities within strict timeframes, with detailed classification criteria. Firms must establish incident management processes that can detect, classify, and report incidents rapidly — capabilities that many mid-tier institutions do not currently have.

The testing requirements escalate with firm size and significance. Threat-led penetration testing (TLPT) is required for significant financial entities, following the TIBER-EU framework. Even for firms below the TLPT threshold, regular testing of ICT systems and tools is mandated.

For UK firms, the PRA and FCA's own operational resilience framework — which predates DORA — provides a solid foundation. But DORA goes further in several respects, particularly around third-party risk management and incident reporting. Firms operating across both jurisdictions need to map the overlaps and gaps between the two regimes.

The practical steps for UK firms with EU exposure are clear: map your ICT third-party relationships against DORA's requirements; assess your incident management and reporting capabilities against DORA's thresholds and timelines; review your testing programme against the DORA framework; and establish a governance structure that can demonstrate compliance to both UK and EU regulators.