DORA in the UK: What tax specialists and their IT providers need to know

January 2025 saw the EU’s Digital Operational Resilience Act (DORA) come into force. Applicable to a wide range of financial entities, DORA aims to improve the digital resilience of financial organisations and their third-party technology providers. UK-based firms operating within the EU must now comply with a comprehensive number of cyber security, risk management and business continuity requirements. This includes IT providers categorised as Critical Third-Party Providers (CTPPs) that supply services to EU financial institutions. The consequences of non-compliance with DORA’s stringent requirements are significant and firms face fines equivalent to 2% of their global annual turnover or €10 million, whichever is higher. While UK organisations that don’t fall within DORA’s remit may feel little compunction to evaluate their current compliance with its technical standards, the rising volume of cyberattacks impacting the finance sector means robust cyber resiliency is now a mission-critical must have. Added to which, the UK government has indicated it is preparing to implement its own DORA equivalent in the near future, which makes working towards compliance with DORA’s digital operational resilience framework a sensible option. A new UK regulatory reality on the horizon? The operational resilience of financial services firms and their critical third-party technology providers, including cloud service providers, is a key focus for UK regulators and the UK government looks likely to introduce its own framework designed to address operational risks associated with technology and cyber threats. In the wake of DORA, which has reshaped the regulatory landscape on digital operational resilience for financial firms and their third-party ICT service providers, the UK government is planning to legislate on this issue and increase the scope of current regulation. In January 2025 the Bank of England, in conjunction with the Prudential Regulation Authority and the Financial Conduct Authority, set out proposals to bring the UK in line with DORA and its operational resilience frameworks. This announcement should incentivise all UK firms to work towards compliance with the current DORA regime in readiness for a UK equivalent in the not-too-distant future. Finance entities – understanding the key components of DORA DORA introduces several important requirements relating to third-party risk management. Alongside ensuring their third-party ICT suppliers comply with DORA standards, finance firms must undertake detailed vendor due diligence when contracting services from providers that deliver ‘critical or important’ IT services. DORA mandates a number of provisions that financial entities must include in their contractual arrangements with third-party ICT and cloud service providers. In addition to clarifying rights and obligations in their contractual agreements and establishing their right to audit IT and cloud service providers, financial institutions must create a detailed register which documents all their IT partner contracts and relationships. Ultimately, the compliance obligations relating to the ICT risks associated with their third-party providers falls firmly on the shoulders of finance firms. This includes the compliance of any sub-contractors that these partners may use. Key DORA considerations for IT partners IT and cloud service partners must perform risk assessments, deploy mitigation procedures, and demonstrate resilience, undertaking regular resilience testing that includes continuity planning and scenario-based evaluations. They must also have robust information security measures in place to protect data and systems and be open to audits by financial entities and competent authorities. As part of this requirement, IT partners are expected to maintain detailed documentation relating to their resilience measures, including the mitigation plans they have in place to address potential disruption. To support finance customers and assure compliance, all IT suppliers will need to increase the frequency of vulnerability scanning, utilising automated solutions and a detailed KPI reporting platform to provide evidence of ongoing compliance. DORA also mandates continuous auditing and ICT system reviews and IT providers must implement DORA-specific employee training regimes to ensure that compliance is robust and comprehensive. Third-party cloud providers and IT partners must also ensure the contracts they enter into with finance entities include Service Level Agreements (SLAs), incident response procedures and dispute resolution mechanisms and update their Master Service Agreements (MSAs) to demonstrate these meet DORA requirements. Why it pays to embrace DORA Although DORA compliance is likely to come at a higher cost, due to the increased time and resources required to meet its demands, financial organisations cannot afford to bury their heads in the sand. By embracing the DORA standards and framework, UK firms will be able to strengthen their operational resilience and enhance their overall cybersecurity posture, avoiding fines for non-compliance and the costs associated with cyberattacks and downtime. Although overheads will rise, it will be nothing compared to the price of non-compliance. While conformity with DORA’s mandates is a must have for UK firms that currently operate in the EU, DORA has set the benchmark standard for operational resilience regulations that are now being adopted around the globe. Leveraging DORA’s principles to assure security and resilience for the long term will pay significant dividends for UK firms down the line.