Digital Operational Resilience Act

DORA is a regulatory framework proposed by the EU to enhance the
operational resilience of the financial sector. While the UK left the EU
in January 2020, its close economic ties and regulatory alignment
mean that DORA has significant implications for UK companies,
especially those operating in and with the financial services industry.

DORA will apply from 17 January 2025.

What is DORA?

DORA aims to address the growing importance of digital operations in the financial sector. In an increasingly interconnected and digitized world, the ability of financial institutions to withstand and recover from operational disruptions is paramount. DORA focuses on five pillars to achieve this:

ICT Risk Management

Financial institutions are required to identify, manage, and mitigate IT and security risks. They need to establish cybersecurity policies, incident response plans, and ensure robust protection of sensitive data.

ICT-related incident management, classification and reporting

Regular testing of these plans is essential to assess their effectiveness. Institutions must also report significant incidents and data breaches to regulators in a timely and transparent manner.

Digital Operational Resilience Testing

For the purpose of assessing preparedness for handling ICT-related incidents, of identifying weaknesses, financial entities other than microenterprises, shall establish, maintain and review a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk-management framework

Third-Party Service Providers

Financial firms must manage the risks associated with third-party service providers, such as cloud services or data processing firms.   Those who have in place contractual arrangements for the use of ICT services to run their business operations shall, at all times, remain fully responsible for compliance with all obligations under this Regulation and applicable financial services law

Information Sharing

Financial entities may exchange amongst themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools, to the extent that such information and intelligence sharing.

How does DORA affect UK Companies?

Even though the UK is no longer an EU member, DORA will impact UK companies that have operations or business relationships with EU entities. This is particularly relevant to financial institutions with European clients or branches. These companies will need to adhere to DORA’s requirements to operate within the EU market.

UK companies operating in the EU may face a competitive disadvantage if they do not adhere to DORA’s requirements. This can lead to a potential loss of market share or the need to adjust business practices to stay compliant.

The UK government has hinted at rolling out similar regulations applicable to UK companies.  In 2024 a raft of new regulations and directives will come into play in the EU to help tighten cyber security including NIS2, and the Cyber Resilience Act.  Whilst these don’t apply to the UK we will not want to lag behind and will be looking to implement similar enforceable laws, to work in parallel with the existing advice, best practices and frameworks.  The National Cyber Strategy’s mission statement is ‘UK in 2030 will continue to be a leading responsible and democratic cyber power, able to protect and promote our interests in and through cyberspace in support of national goals’.

Navigating the Impact of DORA

In 2024/25 we have a raft of new Directives and Regulations coming into force that will affect several of our customers who operate in the applicable industries and geographies. For example – the Digital Operational Resilience Act or ‘DORA’ comes into force on January 17th 2025.

Read our blog from Geoff Clemow, sponsored by Hitachi as he explores how to navigate the Impact of DORA.

Fines and GDPR

As with GDPR it is up to the EU member state’s Data Protection Commission to fine non-compliant companies.  However, where GDPR has a €20m/4% of annual turnover fine cap (whichever is greater), there is no guidance yet on what fines could be levied under DORA.  GDPR fines to date currently total €20bn.

This regulation does not replace GDPR.  For example, GDPR fines are typically only levied after a data breach, or non-compliance with a right to be forgotten request etc – essentially only after a non-compliant event occurs.  DORA mean that fines can be levied on companies that are not, for example, cyber resilient, even if no breach has occurred.

Complying with Regulations

DORA, though an EU regulation, has substantial implications for UK companies, particularly those in, or working with, the financial sector. While the exact impact will vary depending on the nature of their operations and their EU market exposure, it’s crucial for UK companies to be proactive in understanding and preparing for the changes brought about by DORA.

Complying with the regulation not only ensures access to the EU market but also enhances operational resilience and security, ultimately benefiting both companies and their customers.

Advice from our DORATpro

“DORA and the new regulations coming in the next year (including NIS2 and the CRA) aim to encourage and enforce best practices for Cyber Resilience and Business Continuity in general, which is welcomed, and frankly overdue. Organisations can no longer hope they won’t get breached, or fined under GDPR once the horses have bolted; they will need to lock the barn door beforehand.”


Geoff Clemow, DORATpro certified Datacentre Specialist

DORA Timeline

Get Started Today

DORA is a complex combination of cyber
resilience, testing, reporting, and training.
These are all areas that we can help with
though, get in touch with us today.


    © 2022 Ultima Business Solutions Limited. All rights reserved. | Registered Address: Gainsborough House, Manor Farm Road, Reading, England, RG2 0NA | Company Registration 02521249 Registered in England & Wales