On 17 January 2025, the EU’s Digital Operational Resilience Act (DORA) will come into effect, marking a significant shift in how financial entities across Europe manage digital resilience. Designed to fortify the financial sector against technological risks, DORA establishes a harmonised regulatory framework to ensure businesses can withstand, respond to, and recover from cyber threats and IT disruptions.

DORA will not directly apply to the UK, which remains governed by existing Financial Conduct Authority and Prudential Regulation Authority operational resilience rules. However, UK financial entities offering services to EU financial institutions or operating in the EU market must comply with DORA’s stricter requirements, ensuring alignment with its enhanced digital resilience standards. This blog outlines the key elements of the regulation, the key considerations that financial entities must consider and looks at the current UK requirements.

What is DORA?

DORA is a pivotal piece of legislation that strengthens the EU’s approach to financial stability by addressing vulnerabilities arising from reliance on digital technologies. The regulation applies to a wide range of entities in the financial sector, including:

  • Banks;
  • Payment institutions;
  • Investment firms;
  • Insurance and reinsurance companies; and
  • Critical third-party ICT providers.

Unlike previous cybersecurity-focused laws, DORA emphasises operational resilience. It requires entities to adopt comprehensive measures to identify, assess, and mitigate risks stemming from IT disruptions or cyber incidents. The aim is not only to protect individual organisations but also to safeguard the interconnected financial ecosystem from cascading failures. DORA is closely aligned with the EU’s broader Digital Finance Strategy, reflecting its commitment to fostering innovation while ensuring robust digital safeguards.

Who Needs to Comply?

DORA’s scope is extensive, encompassing financial institutions and critical third-party ICT (Information and Communication Technology) service providers. For UK-based financial entities and UK ICT service providers—including cloud service providers, software providers, and data analytics firms—operating within the EU or servicing EU clients, DORA compliance will likely be a necessity.

While DORA is an EU regulation, its extraterritorial implications mean that non-EU firms offering services to EU financial institutions must also adhere to its requirements. UK entities should monitor developments closely, especially in light of potential UK-specific regulatory alignment.

Key Pillars of DORA

DORA establishes five core pillars that organisations must address to achieve compliance:

1. ICT Risk Management

Organisations must implement robust frameworks to identify and manage ICT-related risks. This includes:

  • establishing governance structures for ICT risk oversight;
  • conducting regular risk assessments; and
  • adopting clear policies for managing ICT incidents.

2. ICT Incident Reporting

Financial entities must report significant ICT-related incidents to their national competent authorities within strict timelines. This will require:

  • detailed procedures to classify incidents based on severity; and
  • maintaining clear channels for communication and reporting.

3. Digital Operational Resilience Testing

Entities are required to conduct periodic resilience tests to identify vulnerabilities. These include penetration testing and scenario-based exercises to simulate real-world disruptions. For critical service providers, testing may involve independent third-party assessors.

4. Managing Third-Party ICT Risks

Given the reliance on external providers for critical operations, DORA introduces stringent rules for outsourcing. Organisations must:

  • vet third-party providers for compliance with DORA standards;
  • ensure contracts include provisions for risk management, incident reporting, and data security; and
  • maintain comprehensive registers of all ICT service providers.

5. Information Sharing

Encouraging collaboration across the sector, DORA promotes the voluntary sharing of cyber threat intelligence among financial entities. This initiative aims to strengthen collective resilience and improve industry-wide responses to emerging threats.

Key Considerations for Organisations

With DORA taking effect on the 17th January 2025 , financial entities and ICT service providers must ready themselves to meet the regulation’s stringent requirements. While the overarching goal is to build resilience, the process of compliance will require a thorough evaluation of existing practices, governance structures, and external dependencies. Many organisations are using DORA as an opportunity to enhance their overall operational security while ensuring alignment with regulatory expectations.

Key considerations include:

  • Governance and Accountability: Organisations must establish clear oversight of ICT risks, ensuring that senior management is actively engaged in monitoring and addressing compliance obligations. ICT risks should be integrated into broader risk management frameworks, supported by a governance structure that emphasises transparency, accountability, and ongoing oversight.
  • Third-Party Dependencies: Given DORA’s strong emphasis on managing outsourcing risks, businesses must critically evaluate their relationships with ICT service providers. Contracts and service level agreements should explicitly address DORA’s requirements for operational resilience, incident reporting, and security standards. Ongoing and regular reviews of vendor performance and resilience capabilities are essential to ensure ongoing compliance.
  • Testing and Incident Preparedness: Robust resilience testing is a cornerstone of DORA’s framework. Businesses must conduct regular testing, including penetration tests and scenario-based exercises, to identify vulnerabilities and assess their preparedness for operational disruptions. Incident response plans should be comprehensive, well-documented, and regularly updated, enabling organisations to swiftly detect, respond to, and recover from ICT disruptions or cyberattacks.

UK Developments

While DORA focuses on harmonising digital operational resilience across the EU, the UK is also advancing its own measures to strengthen cyber resilience within its financial sector and beyond. The upcoming Cyber Security and Resilience Bill is poised to enhance the UK’s regulatory landscape, aiming to bolster protections against evolving cyber threats and ensure critical systems remain secure.

Additionally, data centres have been designated as part of the UK’s Critical National Infrastructure (CNI), reflecting their pivotal role in maintaining the nation’s digital and operational stability. This classification underscores the importance of heightened security measures and robust incident management protocols for entities operating or relying on these critical facilities.

Furthermore, the UK has already implemented the Network and Information Systems (NIS) Regulations, which impose obligations on essential service providers to ensure their systems are secure, resilient, and capable of responding to cyber incidents. While these initiatives align closely with DORA’s emphasis on resilience, organisations operating across both the EU and UK must navigate the nuances of these overlapping frameworks to ensure compliance on both fronts.

Conclusion

The introduction of DORA represents a decisive step towards strengthening digital resilience across the EU financial sector. For businesses, the regulation is both a challenge and an opportunity: a challenge to meet rigorous new standards, but an opportunity to build more robust and secure digital infrastructures. With the January 2025 deadline fast approaching, now is the time to act. By taking a proactive approach to compliance adopting a strategic approach to digital resilience, businesses can not only mitigate risks but can position themselves to thrive in an increasingly interconnected and technology-dependent financial ecosystem.

If you would like to discuss anything raised in this blog, please get in touch with Alison Bryce or your usual Brodies contact.

Contributors

Alison Bryce

Partner

Lindsay Lee

Senior Associate

Steven Pears

Trainee