DORA Compliance for EU/UK Financial Services

Q: When did DORA come into force?

DORA (Regulation EU 2022/2554) became directly applicable on 17 January 2025 across all EU member states. Firms were expected to have ICT risk frameworks, third-party registers, and incident classification procedures in place by that date. Supervisory authorities — including the EBA, ESMA, and EIOPA — are now actively reviewing firms' compliance evidence.

Q: Does DORA apply to UK firms?

DORA applies directly to UK firms only if they have EU entities or provide ICT services to EU financial entities. UK-authorised firms providing services into the EU typically need to demonstrate equivalent operational resilience to their EU clients. The FCA has its own parallel operational resilience regime (SYSC 15A) that covers similar ground — our pack maps to both.

Q: What are the DORA pillars?

DORA has five pillars: (1) ICT Risk Management — governance, risk framework, and controls; (2) ICT Incident Reporting — classification and reporting to regulators; (3) Digital Operational Resilience Testing — vulnerability scans, penetration testing, and TLPT for significant firms; (4) ICT Third-Party Risk — register, contracts, concentration risk, sub-contracting chains; (5) Information Sharing — voluntary threat intelligence sharing.

Q: Who must comply with DORA?

DORA covers banks, insurers, investment firms, payment institutions, e-money institutions, crypto-asset service providers, crowdfunding providers, and critical third-party ICT providers designated by ESAs. Proportionality applies — smaller firms have lighter requirements around testing and reporting. Our pack includes scalable language so it works for both a 30-person fintech and a large investment manager.

Q: How does DORA relate to ISO 27001 and NIS2?

DORA is sector-specific (financial services) while NIS2 covers critical infrastructure generally; the two overlap substantially on incident reporting and supply-chain security. ISO 27001 is an international management standard — ISO-certified firms will already have 70-80% of DORA controls in place but need to add the financial-services-specific elements: TLPT readiness, regulator reporting timelines, concentration risk analysis.

Q: What does the EU DORA Financial Services pack include?

12 DORA-aligned policies covering ICT risk management, ICT third-party risk register, incident classification and reporting, operational resilience testing, business continuity, information security, change management, identity and access management, data protection, major-incident reporting, subcontracting, and TLPT. Bespoke to your firm type (bank, fintech, payment institution) — see live pricing on the product page.

12 policies aligned to the five DORA pillars — ICT risk, incidents, resilience testing, third-party risk, and threat intelligence. Effective since 17 January 2025.

DORA (EU 2022/2554) Financial Services ICT Risk

EU DORA Financial Services pack

12 policies · £600 one-off

Lifetime access · no renewal · bespoke to your firm type

Get Started — Buy Pack Free account · preview sample policies · buy pack when ready

UK registered & ICO compliant 197 frameworks · 8 jurisdictions · 990+ bespoke policies Lifetime purchase · no renewal

What is DORA?

Quick answer. The Digital Operational Resilience Act (Regulation EU 2022/2554) is the EU's unified rulebook for ICT risk in financial services. It became directly applicable on 17 January 2025, harmonising operational-resilience requirements across banks, insurers, investment firms, payment institutions, crypto-asset service providers and others. Built around five pillars: ICT risk management, incident reporting, resilience testing, third-party risk and information sharing.

The Digital Operational Resilience Act (Regulation EU 2022/2554) is the EU's unified rulebook for ICT risk in financial services. It became directly applicable on 17 January 2025 and harmonises operational resilience requirements across banks, insurers, investment firms, payment institutions, crypto-asset service providers and many others.

DORA is built around five pillars: ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing. It is directly supervised by the European Supervisory Authorities (EBA, ESMA, EIOPA) and competent national authorities. For UK firms the FCA's parallel SYSC 15A regime covers similar operational-resilience ground.

Who needs DORA policies?

Quick answer. EU-regulated banks, insurers and investment firms; EU payment institutions and e-money firms (including PSPs under PSD2); EU crypto-asset service providers under MiCA; critical ICT third-party providers designated by the European Supervisory Authorities (including cloud providers serving EU financials); and UK firms with EU subsidiaries or passporting into the EU, where equivalent operational resilience is expected.

EU-regulated banks, insurers and investment firms — directly in scope.
EU payment institutions and e-money firms — including PSPs under PSD2.
EU crypto-asset service providers under MiCA — DORA sits alongside MiCA authorisation.
Critical ICT third-party providers designated by ESAs — including cloud providers serving EU financials.
UK firms with EU subsidiaries or passporting into the EU — equivalent resilience expected.

Policies you need for DORA

Quick answer. DORA is principles-based, but the Regulatory Technical Standards spell out precise documentation. 12 policies cover all five pillars: ICT risk management, ICT third-party risk, ICT incident management, operational resilience testing, business continuity, information security, change management, identity and access, data protection, major incident reporting, subcontracting and threat-led penetration testing.

DORA is principles-based but the RTS (Regulatory Technical Standards) spell out precise documentation expectations. These 12 policies cover all five DORA pillars — all included in our EU DORA Financial Services pack:

ICT Risk Management

Article 5–16 — framework, governance, controls.

ICT Third-Party Risk

Article 28–30 — register, contracts, concentration risk.

ICT Incident Management

Article 17–23 — classification matrix, timelines.

Operational Resilience Testing

Article 24–27 — vulnerability scans, pen testing cadence.

Business Continuity

Business impact analysis, RTOs, scenario testing.

Information Security

ISMS aligned to ISO 27001 + DORA enhancements.

Change Management

ICT change governance — approvals, rollback, testing.

Identity & Access Management

Privileged access, MFA, segregation of duties.

Data Protection

DORA + GDPR alignment for EU financial data.

Major Incident Reporting

Initial, intermediate, final report templates.

Subcontracting Policy

Sub-outsourcing chain controls required under Art. 28–30.

Threat-Led Penetration Testing

TLPT readiness for significant firms.

Realistic timeline to DORA readiness

Quick answer. 6–10 weeks to documentary readiness if starting from scratch; operational evidence accumulates over 6–12 months. Week 1–2: 12 bespoke policies in 48 hours. Week 3–4: build the ICT third-party register and check contracts for DORA clauses. Week 5–6: configure incident classification + tabletop exercise. Week 7–10: board approval, first resilience test, distribute policies.

If you haven't yet started, most in-scope firms can reach documentary readiness in 6–10 weeks. Operational evidence accumulates over the following 6–12 months.

Week 1–2: Buy the EU DORA pack, answer structured questions, receive 12 bespoke policies in 48 hours.
Week 3–4: Build the ICT third-party register — catalogue every ICT service, classify by criticality, check contracts for DORA clauses.
Week 5–6: Configure incident classification tooling against the DORA thresholds; run tabletop exercise.
Week 7–10: Board approval of ICT risk framework, first operational resilience test, distribute policies.
Ongoing: Annual testing, major-incident reporting as required, TLPT every 3 years (significant firms).

Policy packs for DORA

EU DORA Financial Services

12 policies · £600 · full DORA pillar coverage

ISO 27001 Core Set

16 policies · £400 · foundational ISMS layer

Third-Party Risk & Contracting

10 policies · £300 · deeper TPRM coverage

Incident Notification & Breach Reporting

8 policies · £250 · cross-regulator templates

PolicySuite vs GRC platforms vs consultant vs DIY

Quick answer. Big-4 and tier-1 financial-services consultants charge £50k–£250k for a full DORA readiness engagement with 3–6 month delivery. GRC platforms (Archer, MetricStream, ServiceNow GRC) cost £40k+/year and still need policy authoring. Generic templates miss the RTS-specific language auditors look for. PolicySuite produces RTS-aligned bespoke DORA policies covering all five pillars in 48 hours from £600.

UK SMEs typically compare four routes when sourcing compliance policies. Here's how they stack up on the decisions that matter.

	PolicySuite	GRC platforms (Vanta, Drata, SecureFrame)	Compliance consultant	DIY templates
Typical cost	£250–£1,500 one-off	£10k–£40k per year	£5k–£30k one-off	£0 + your time
Pricing model	Lifetime purchase	Annual seat-based	Project fee	Free (indefinite effort)
Time to policies ready	48 hours	4–8 weeks setup	8–16 weeks	Months — rarely finished
UK-specific content	✓ Built for UK SMEs	Partial — US-originated	✓ If UK consultant	Partial — boilerplate templates only
Bespoke to your business	✓ LLM-tailored from your answers	Partial — fill-in-the-blank	✓ Yes — manual	✗ Generic template
Framework coverage	197 frameworks · 8 jurisdictions	20–50 frameworks	Whatever the consultant knows	Up to you to find
Audit-ready evidence	✓ Acknowledgements, distributions, version history	✓ Strong — but seat-priced	✗ You track it yourself	✗ You track it yourself
Suits <50-person SMEs	✓ Designed for UK SMEs	✗ Price-prohibitive at SME scale	Sometimes — depends on scope	✓ If you have the time
Cost to switch away	✓ You own the docs — export anytime	✗ Lose access on cancellation	✓ You own the docs	✓ You own the docs

See full head-to-head comparisons →

Frequently asked questions

When did DORA come into force?

DORA became directly applicable on 17 January 2025 across all EU member states. Firms were expected to have ICT risk frameworks, third-party registers, and incident classification procedures in place by that date. Supervisory authorities — EBA, ESMA, EIOPA — are now actively reviewing firms' compliance evidence.

Does DORA apply to UK firms?

DORA applies directly to UK firms only if they have EU entities or provide ICT services to EU financial entities. UK firms passporting into the EU typically need to demonstrate equivalent operational resilience. The FCA's SYSC 15A regime covers similar ground — our pack maps to both.

What are the DORA pillars?

Five pillars: (1) ICT Risk Management, (2) ICT Incident Reporting, (3) Digital Operational Resilience Testing including TLPT for significant firms, (4) ICT Third-Party Risk, and (5) Information Sharing. Our policy pack covers documentation for all five.

Who must comply with DORA?

Banks, insurers, investment firms, payment and e-money institutions, crypto-asset service providers, crowdfunding providers, and critical third-party ICT providers designated by ESAs. Proportionality applies — smaller firms have lighter testing and reporting. Our pack scales accordingly.

How does DORA relate to ISO 27001 and NIS2?

DORA is sector-specific; NIS2 covers critical infrastructure more broadly. ISO 27001 is an international management standard — ISO-certified firms have most of DORA's controls already but still need to add TLPT readiness, specific regulator reporting timelines, and concentration risk analysis.

What does the EU DORA Financial Services pack include?

12 DORA-aligned policies across ICT risk management, third-party risk, incident classification and reporting, operational resilience testing, business continuity, information security, change management, IAM, data protection, major-incident reporting, subcontracting, and TLPT. Bespoke to your firm type — see live pricing on the product page.

DORA-ready in 48 hours, not 4 months

Get 12 bespoke DORA policies covering all 5 pillars — lifetime access, no renewal.

Get Started — £600

References and primary sources

Quick answer. The framework guidance on this page is reviewed against the primary-source documents below. Each link resolves to an official regulator or standards-body publication so an auditor, procurement reviewer or DPO can verify the alignment without taking the page on trust.

Regulation (EU) 2022/2554 — DORA — the primary EU regulation text.
European Banking Authority — operational risk — the EBA technical standards underpinning DORA implementation.
ISO 27001 alignment — the international security standard most DORA-in-scope firms cite.
ISO 22301 business continuity — the international BCM standard cited in DORA operational resilience requirements.
FCA operational resilience — UK FCA guidance — relevant for UK firms providing services into EU DORA scope.
Bank of England operational resilience — PRA expectations on impact tolerances, often referenced alongside DORA implementation.

In our experience working with UK SMEs and similar organisations across the EU and US, the framework pages that survive enterprise vendor reviews are the ones that cite primary sources rather than secondary blog posts. Many UK SMEs typically discover this only after their first failed vendor questionnaire — the reviewer asked for a clause-to-source map and the standard reply pointed at a marketing page rather than the relevant regulator. The references above are the standing set we cite from inside the policies themselves so the chain stays intact end-to-end.