Since the UK officially left the European Union, many businesses have tried to understand how EU regulations affect them. One such regulation — the Digital Operational Resilience Act (DORA) — is raising a lot of questions, especially around DORA compliance among UK-based firms in the financial and IT sectors.
Some might assume DORA doesn’t apply to them anymore. But here’s the reality: DORA isn’t just about where your business is located — it’s about where your clients, services, and data flow. And for many UK organisations, especially those working with EU financial entities, ignoring DORA could be a costly mistake.
Let’s break down what DORA is, why it matters to UK businesses, and how you can start preparing — even after Brexit.
What Is DORA?
The Digital Operational Resilience Act (DORA) is a regulation introduced by the European Union to ensure that financial institutions across the EU are better prepared to deal with cyber risks, ICT failures, and digital disruptions. It came into force in January 2023 and becomes fully applicable from 17 January 2025.
Its main aim is to create a uniform standard for how financial firms handle digital operational resilience — meaning their ability to continue delivering services, even during IT incidents, cyberattacks, or disruptions.
Unlike earlier fragmented rules, DORA brings everything together under one roof. It applies not only to financial institutions but also to third-party ICT service providers, such as cloud platforms, cybersecurity vendors, and software suppliers.
Key areas DORA covers include:
- ICT risk management
- Incident reporting and response
- Operational resilience testing
- Managing third-party ICT risks
- Information sharing within the sector
Does DORA Apply to UK Companies Post-Brexit?
You might be thinking, “We’re not in the EU anymore, so this doesn’t affect us.” That’s a common assumption — but it’s not always correct.
Here’s why DORA still impacts many UK-based firms:
1. You Serve EU Clients
If your UK company provides services to EU-based financial institutions — whether you’re a bank, fintech firm, or ICT service provider — your clients will likely expect you to align with DORA requirements. Even if the regulation doesn’t technically apply, commercial pressure will.
2. You Have a Branch or Entity in the EU
Many UK firms continue to operate through EU branches, especially in financial hubs like Dublin, Frankfurt, or Amsterdam. These operations fall under EU regulations, including DORA. That means your UK headquarters will often need to support compliance at the group level.
3. You Want to Stay Competitive
If you’re bidding for contracts in the EU or partnering with EU-regulated firms, being able to demonstrate DORA-aligned practices could give you an edge over competitors who aren’t prepared.
4. Your Business Relies on Cross-Border Digital Services
Even if your clients are UK-based, your systems, data storage, or technology vendors might be in the EU — or vice versa. That alone can create a compliance exposure, especially around third-party risk management.
Why You Shouldn’t Ignore DORA
Here’s the bottom line: Even if DORA isn’t legally binding in the UK, it is becoming the de facto standard for digital resilience across Europe — and it’s influencing global best practices.
Ignoring it could lead to:
- Lost clients or contracts
- Poor risk posture in audits or due diligence
- Reduced credibility in high-trust industries like finance or tech
- Difficulties in meeting future UK or global regulations
Instead, by proactively aligning with DORA, UK businesses can:
- Build trust with EU partners
- Strengthen internal systems
- Prepare for emerging UK regulations
- Improve cyber resilience and recovery speed
DORA vs UK Regulations: What’s the Difference?
The UK has its own approach to operational resilience. The FCA, PRA, and Bank of England introduced operational resilience rules for financial services firms, which came into effect in 2022. These rules require firms to identify their important business services, set impact tolerances, and test their ability to stay within them during disruptions.
So, how does this compare with DORA?
| Area | DORA (EU) | UK Regulations |
| Scope | Covers ICT risk for financial firms & third-party ICT providers | Focuses on continuity of important business services |
| Applicability | Applies to a wide range of EU financial entities and ICT providers | Applies mainly to PRA- and FCA-regulated firms |
| Third-party management | Strict rules on contracts, oversight, and registries | General outsourcing and third-party guidelines |
| Testing & reporting | Emphasises advanced testing, mandatory incident reporting | Requires scenario testing, less prescriptive on ICT |
For UK firms with EU connections, aligning with both sets of rules makes strategic sense.
What Should UK Firms Do Now?
If DORA might affect your company, here’s how to start preparing — without feeling overwhelmed:
1. Conduct a DORA Impact Assessment
- Map your business operations and service relationships.
- Identify where you interact with EU-based clients, branches, or systems.
2. Review Your ICT Risk Management
- Make sure you have policies for identifying, monitoring, and mitigating ICT risks.
- Include digital continuity planning and clear governance.
3. Strengthen Incident Response
- Develop processes for fast detection, escalation, and reporting of ICT incidents.
- Even if DORA doesn’t apply directly, your clients might require you to follow DORA-like timelines.
4. Evaluate Third-Party Contracts
- Check whether your supplier agreements include data security, monitoring rights, and access provisions — all of which are core DORA requirements.
5. Plan for Resilience Testing
- Consider regular cyber testing and simulations, especially if you offer services to EU firms.
- For critical ICT providers, threat-led penetration testing might become a future expectation.
6. Stay Updated
- DORA isn’t static. The European Supervisory Authorities (ESAs) are still publishing technical standards.
- Watch for new developments — and consider working with a compliance advisor if needed.
Final Thoughts: DORA Is About Resilience, Not Just Regulation
While DORA may feel like “just another EU regulation”, it’s actually part of a global shift towards stronger digital risk management and operational resilience.
If your UK business wants to remain trusted, competitive, and secure — especially in the financial or tech ecosystem — taking DORA seriously is a smart move. Don’t wait until clients ask. Start preparing now, and you’ll turn compliance into a business advantage.
FAQs
1. Does DORA apply to UK firms?
Yes — in many cases, it does. While the UK is no longer part of the EU, UK firms that offer financial services in the EU, have EU-based clients, or act as ICT providers to EU financial institutions may still fall under DORA’s scope. Even if not legally required, many clients may demand DORA compliance as a condition of doing business.
2. What is the deadline for DORA compliance?
The Digital Operational Resilience Act (DORA) came into force in January 2023, but it becomes fully applicable from 17 January 2025. That means affected businesses must ensure they meet all the requirements — including risk management, incident reporting, and third-party oversight — before this date.
3. How can UK companies prepare for DORA compliance?
UK firms should start by conducting a DORA impact assessment to identify if and how the regulation applies. Key preparation steps include reviewing ICT risk policies, enhancing incident response, updating contracts with ICT providers, and planning for resilience testing. Even if not legally required, aligning with DORA improves operational resilience and strengthens client trust.
