Back
Newsroom
10 min read

DORA Compliance for UK Firms: What Third Parties Need to Know

European financial district architecture representing DORA regulatory reach into UK firms.

What DORA is and why UK firms cannot ignore it

DORA, formally Regulation (EU) 2022/2554, is the European Union’s framework for the digital operational resilience of the financial sector. It entered into application on 17 January 2025 and covers banks, insurers, investment firms, crypto-asset service providers, and, importantly, the ICT third-party service providers that support them.

The regulation’s central insight is that financial stability in 2026 depends as much on the resilience of cloud providers, SaaS vendors, and outsourced ICT services as it does on the banks themselves. DORA therefore sets out obligations for in-scope financial entities and creates a regime under which the largest, most critical ICT third-party providers can be designated and supervised directly by European Supervisory Authorities.

UK firms are not outside DORA simply because the UK is outside the EU. For context on how DORA fits within the broader Third-Party Risk Management picture, see our plain-English guide. If a UK financial entity operates in the EU through a subsidiary, branch, or passported activity, DORA applies to that EU-facing activity. If a UK ICT service provider supplies an in-scope EU firm, its contract will carry DORA-mandated clauses and its operational practices will need to satisfy its client’s regulatory position.

The five pillars of DORA

DORA is organised around five substantive areas. Each one has implications for third parties.

1. ICT risk management

In-scope firms must operate a comprehensive ICT risk management framework, approved by the management body, covering identification, protection, detection, response, and recovery. The framework must be reviewed at least annually and after major incidents. For third parties, this means your client’s risk framework will reach into your contract. Expect clauses requiring you to maintain documented controls, to cooperate with their risk assessments, and to evidence your security posture on request.

2. ICT-related incident management and reporting

Financial entities must classify, manage, and report major ICT-related incidents under harmonised criteria, which has direct implications for the security operations model supporting those entities. Initial notification to the competent authority is required within short timeframes. For third parties, this translates into incident notification clauses with aggressive timelines: often 2 to 4 hours for a suspected major incident. If your current notification SLA is 24 or 72 hours, you will struggle to keep DORA-covered clients.

3. Digital operational resilience testing

In-scope firms must test their ICT systems at least annually, with advanced threat-led penetration testing (TLPT) required every three years for larger entities. Third parties supporting critical functions can expect to be included in their client’s testing scope. That means your production systems may be pen-tested by your client’s red team, and you will need to accept it.

4. ICT third-party risk

This is the pillar that reaches UK third parties most directly. Financial entities must maintain a register of information about all ICT third-party service providers, conduct full due diligence before contracting for critical functions, and ensure contracts contain specific mandatory clauses. The European Supervisory Authorities may also designate ‘critical ICT third-party service providers’ (CTPPs) and supervise them directly. If you are a large UK cloud or SaaS provider supplying EU financial entities at scale, CTPP designation is possible.

5. Information sharing

DORA encourages, though does not mandate, information sharing on cyber threats between financial entities. This is the least operationally demanding pillar and the one most likely to develop voluntary good practice over time.

How DORA reaches a UK firm in practice

Consider three common scenarios.

A UK insurer with an Irish subsidiary selling into the EU. The Irish entity is directly in scope. DORA compliance sits with the Irish entity, but the UK parent’s group ICT function, risk framework, and third-party register must satisfy the Irish entity’s regulatory position. In effect, group-level changes are required.

A UK SaaS provider supplying workflow tools to EU banks. The SaaS provider is a third-party ICT service provider to an in-scope entity. DORA does not apply to the SaaS firm directly, but its contracts will. Expect renegotiated clauses covering incident notification, audit rights, sub-contractor transparency, exit strategies, and resilience testing participation. Expect the first push for these changes to come through procurement in quarterly contract cycles.

A UK-headquartered bank with a German branch. The German branch is in scope. The UK bank’s third-party register, incident classification taxonomy, and resilience testing programme need to cover the German branch’s suppliers. In practical terms, the UK parent ends up building a DORA-grade programme even though the UK itself has not adopted DORA.

What UK third parties should be doing now

If you are a UK ICT service provider with any EU financial entity clients, a practical sequence of actions:

  1. Identify which of your clients are in scope. Banks, investment firms, insurers, reinsurers, payment institutions, crypto-asset service providers, and market infrastructures are the main categories. If in doubt, ask your client directly.
  2. Review your standard contract terms against DORA’s mandatory clauses. The regulation and its Regulatory Technical Standards set out specific requirements on audit rights, sub-contractor consent, exit arrangements, incident reporting, and data location. A gap analysis here is a one-week piece of work.
  3. Shorten your incident notification SLA. If you cannot commit to notifying a suspected major incident within 2-4 hours, you are not DORA-ready.
  4. Map your sub-processors and onward supply chain. DORA requires transparency deep into the supply chain, not just at tier one. The UK GDPR sub-processor rules overlap materially with this requirement. Build the register before your client asks for it.
  5. Prepare for resilience testing participation. This includes logical ability to isolate test environments, legal acceptance of being included in client red-team exercises, and internal capacity to support TLPT engagements.
  6. Document an exit plan. DORA requires financial entities to be able to exit their critical ICT providers without disruption. Your clients will ask for documented exit arrangements. Better to have them ready than to draft them under pressure.

The UK’s own direction of travel

The UK has chosen not to adopt DORA directly, but it is moving in the same direction under different legislation. The Bank of England, PRA, and FCA jointly published operational resilience policy requiring UK financial firms to identify important business services, set impact tolerances, and ensure they can remain within tolerance during severe-but-plausible disruption. The PRA’s supervisory statement on outsourcing and third-party risk management (SS2/21) overlaps materially with DORA’s third-party risk pillar and with the UK’s broader regulatory compliance framework.

The practical effect is that a UK firm building for DORA is also building for UK regulatory expectations. The effort is not wasted.

How Logica Security supports DORA readiness

Logica Security’s TPRM service is a fully managed, done-for-you service that takes ownership of the third-party risk aspects of DORA: vendor registers, due diligence processes, contract gap analysis against DORA’s mandatory clauses, and incident response testing with critical suppliers. Your team keeps oversight. We handle the work. If your firm is preparing for a DORA audit, a contract renegotiation round with EU clients, or its first threat-led penetration test, we can scope the third-party dimension end-to-end and deliver board-ready reporting through the programme.

DORA operational resilience mapping, stress testing, and tabletop exercises are available as add-ons. What stays with you: deciding which suppliers are in scope, final risk acceptance decisions, and internal escalations. Everything else is run by our team.

A short exploratory call is the fastest way to clarify where your third-party programme sits against DORA expectations today, and what the next steps look like.

Key takeaways

  • DORA has been in application since 17 January 2025 and covers ICT risk management, incidents, resilience testing, third-party risk, and information sharing.
  • UK firms are reached through two routes: direct scope if they operate in the EU, and contractual flow-down if they supply in-scope EU financial entities.
  • The most demanding operational change for UK third parties is incident notification within 2-4 hours of a suspected major incident.
  • A UK ICT provider should gap-analyse its standard contracts, shorten its notification SLA, map its sub-processors, and prepare an exit plan.
  • UK operational resilience rules run in parallel to DORA. Effort spent on DORA-readiness is not wasted on the UK side.

Related Posts

Structured third-party risk assessment workflow on a desk, showing documentation and analysis materials.
12 min read

How to Conduct a Third-Party Risk Assessment: A UK Guide

Read More
Legal documentation representing UK GDPR Article 28 data processing agreement review.
10 min read

UK GDPR Third-Party Data Processing Requirements

Read More

Logica Security is a UK based cybersecurity consultancy specialising in regulated and high-risk industries. We support organisations across cyber security, operational resilience and supplier risk.

©  Logica Security Limited | Company Registration: 11806049. All rights reserved.