Have questions on whether DORA applies to your organisation? Read on…
CyberKainos. Reading time: 8 mins
DORA: What UK firms need to know (Even if we’re not in the EU)
We are back with more insight and advice for UK organisations wrestling with their ever evolving regulatory compliance and cybersecurity risk positioning. This week… DORA
When the EU’s Digital Operational Resilience Act (DORA) came into force in January 2025, many UK financial service firms (that may or may not have been swayed by big red buses and catchy slogans) breathed a quiet sigh of relief. Brexit, they reasoned, had insulated them from yet another wave of Brussels-born regulation. Some took the trouble of running quick scoping exercise, concluded that DORA didn’t apply, filed the board paper, and moved on.
That assumption is now coming back to bite.
In 2026, DORA has moved from a review and implementation phase into active enforcement. EU national competent authorities are conducting supervisory examinations, cross-checking registers of information, and beginning to issue penalties. The knock-on effects for UK firms, whether through EU subsidiaries, client relationships, or ICT supply chains are becoming impossible to ignore.
Here’s what you actually need to know.
What is DORA, and who does it formally apply to?
DORA is an EU regulation, not a directive. This is important. It means it is binding in its entirety and applies directly across all EU member states without the need for national transposition. It establishes a harmonised framework for digital operational resilience across the financial sector and is built around 5 pillars: ICT risk management, incident reporting, digital operational resilience testing, third-party risk management, and information sharing.
Formally, DORA applies to a broad range of financial entities operating within the EU: banks, insurers, investment firms, payment providers, crypto-asset service providers, and their ICT third-party service providers. If your firm is incorporated and regulated solely in the UK, with no EU operations, clients, or supply chain touchpoints, DORA does not apply to you directly.
But now we are in 2026, that “solely” is doing a lot of heavy lifting.
Three ways UK firms are already in DORA scope
The critical question for any UK firm isn’t “Are we an EU entity?” (we are not). It’s “Do we serve EU clients, operate through EU subsidiaries, or provide services that touch the EU financial sector?” For a significant number of UK firms, the honest answer to at least one of those questions is yes.
1. EU subsidiaries and branches
Any UK-headquartered group with an authorised subsidiary or branch in an EU member state has a DORA-obligated entity within its structure, regardless of where the parent is domiciled. The obligations fall on the EU-regulated entity but the ICT infrastructure, third-party contracts, and risk management frameworks that the EU entity relies on are typically shared with, or managed from, the UK parent.
This is the source of most unresolved DORA exposure among mid-tier UK firms. The entity-level analysis may have confirmed limited direct obligation, while the operational and contractual reality creates a de facto compliance requirement that the original scoping exercise didn’t close. Investment managers with EU-authorised fund structures, insurers with EU-regulated branches, and any firm providing material ICT services to an entity that is itself DORA-obligated are all in this position.
2. ICT providers to EU financial institutions
UK firms that provide cloud infrastructure, data analytics, payment processing, compliance tooling, or core banking software to even just a single EU-regulated financial institution faces indirect DORA obligations. DORA requires EU financial firms to include specific contract terms for their ICT suppliers. These terms cover audit rights, data location, exit plans, subcontracting rules, and incident reporting support. If you are a UK ICT provider with EU financial services clients, expect those clients to be asking about your DORA readiness, if they haven’t already.
Renegotiating these contractual terms is not a minor administrative exercise. For suppliers with multiple EU financial services clients, it means reviewing and amending a significant volume of existing agreements and embedding DORA-aligned clauses into all new contracts going forward.
3. UK ICT suppliers within EU supply chains
Now we start to get more complicated. Even when a UK firm has no direct EU client relationship, it may sit within a supply chain that ultimately feeds into EU-regulated operations. DORA’s third-party risk requirements extend to subcontractors, and EU financial entities are required to map and register their full ICT dependency chains. UK technology providers supporting EU operations, even indirectly, may find themselves on a client’s Register of Information and subject to increased scrutiny as a result.
The UK parallel: More overlap than you might think
For UK firms operating purely domestically, DORA may not apply directly but the regulatory direction of travel is unmistakably similar.
The FCA and PRA’s operational resilience framework, introduced in 2021 requires UK-regulated firms to identify their important business services, set impact tolerances, map their dependencies, test their ability to remain within those tolerances under stress, and remediate any gaps. The Bank of England, FCA, and PRA have all signalled alignment with DORA’s principles in their own supervisory approach.
In March 2026, the FCA and PRA published new rules that will come into force in March 2027 that introduces a formal UK framework for reporting serious operational incidents and material third-party arrangements. The framework was explicitly developed with an eye on alignment with DORA and the Financial Stability Board’s incident reporting standards. UK firms with EU-based affiliates are already being encouraged to factor in any overlap with DORA requirements when assessing compliance.
Separately, the UK’s Critical Third Parties (CTP) regime places direct regulatory oversight on technology providers deemed critical to the stability of the UK financial system. The FCA, PRA, and Bank of England have signed a Memorandum of Understanding with the European Supervisory Authorities to coordinate oversight of entities that fall under both the UK CTP regime and DORA.
The practical implication is that UK firms doing DORA gap work are simultaneously progressing their UK operational resilience obligations. The evidence, the controls, the third-party registers, and the governance structures required under DORA are largely the same building blocks the FCA and PRA are now expecting to see. Firms that treat these as separate workstreams are creating unnecessary duplication and missing an opportunity to build a coherent, future-proof resilience programme.
The good news: you have already done most of the work
By taking your organisation through ISO 27001, you have built the foundation SOC 2 rests on: an information security management system, a documented risk assessment, written policies, and the experience of surviving an external audit.
Direct mappings exist between the ISO 27001 Annex A controls and the Trust Services Criteria, and a substantial proportion of your existing evidence is reusable. Your information security policies, risk assessment and treatment, access control, change management, supplier management, incident response, and logging and monitoring will all carry across with adaptation rather than reinvention.
We will not insult you with a precise overlap percentage, because the honest figure depends on your scope and the categories you select. What we can say with confidence is this: the heavy lifting, the cultural and governance work which defeats most organisations, is already behind you.
What DORA actually requires (in plain terms)
For firms assessing their position, it helps to understand what DORA demands in practical terms rather than regulatory abstraction.
ICT risk management must be led by the board, not delegated to IT. Senior leaders must own the firm’s resilience posture and be accountable for it. ICT risk must be integrated into overall governance structures, with clear policies, defined roles, and continuous monitoring rather than periodic review.
Incident reporting is time-critical. Major ICT incidents must be detected, classified, and reported to regulators quickly, in some cases within hours of the initial determination if that incident meets the materiality threshold. Firms must use harmonised reporting templates, meaning the classification and documentation of incidents needs to be consistent and regulator-ready from the outset, not reconstructed after the fact.
Resilience testing must go beyond paper-based assessments. DORA requires scenario-based testing, threat-led penetration testing (using the TIBER-EU framework for significant firms), and business continuity exercises all with documented results reviewed at board level.
Third-party risk management is continuous, not annual. Firms must maintain a comprehensive Register of Information covering all ICT third-party providers, their systems, and dependencies. Responsibility for resilience remains with the financial institution even where services are outsourced. Exit strategies, audit rights, and sub-contractor visibility must be contractually embedded.
Information sharing across the sector, particularly around cyber threats is encouraged under DORA’s Article 45 provisions, as part of a broader collective defence approach.
The risk of getting things wrong
For EU-regulated entities, the consequences of DORA non-compliance are predicable. Critical ICT third-party providers may face fines up to €5 million and they may also face daily penalties up to 1% of average daily worldwide turnover. Regulators also have the power to suspend licences and revoke authorisation.
But for UK firms, the more immediate risk is reputational and commercial rather than directly regulatory. When an EU subsidiary’s competent authority examines that entity’s ICT risk framework and finds deficiencies that trace back to shared group infrastructure or contracts managed from the UK parent, the remediation requirement lands on the group regardless. The PRA and FCA are already alert to these dynamics. And in a market where operational resilience is becoming a competitive differentiator and not just a compliance obligation, being unable to demonstrate DORA-aligned practices is increasingly a commercial disadvantage in EU client conversations.
Where to start
The first step is a genuine scope assessment. List your legal entities, EU-regulated subsidiaries, EU client relationships, ICT services provided to EU financial institutions, and group-shared technology arrangements. Legal, compliance, risk, procurement, and technology need to agree on the working view, not just IT.
From there, map your highest-risk services and compare your existing FCA/PRA operational resilience documentation against DORA’s five pillars. You are likely to find more overlap than you expect and more gaps than you’d like.
How CyberKainos Can Help
If the above paragraph sounds like a lot of work, you can speak to a CyberKainos vCISO. We work with UK financial services firms and ICT providers to navigate exactly this kind of regulatory complexity and cut through the noise to build resilience programmes that satisfy both UK and EU expectations without duplication of work.
Whether you’re a UK firm with EU subsidiaries assessing your DORA gap, a technology provider being asked about your DORA readiness by EU clients, or a domestically focused organisation using DORA as a benchmark to strengthen your FCA operational resilience posture, our team brings the regulatory expertise and practical experience to get you from where you are to where you need to be.
Don’t wait for a supervisory examination to find your gaps. CyberKainos can help you build a resilience programme that’s ready for whatever the regulators ask next.