DORA Compliance for EU/UK Financial Services
12 policies aligned to the five DORA pillars — ICT risk, incidents, resilience testing, third-party risk, and threat intelligence. Effective since 17 January 2025.
EU DORA Financial Services pack
12 policies · £600 one-off
Lifetime access · no renewal · bespoke to your firm type
What is DORA?
The Digital Operational Resilience Act (Regulation EU 2022/2554) is the EU's unified rulebook for ICT risk in financial services. It became directly applicable on 17 January 2025 and harmonises operational resilience requirements across banks, insurers, investment firms, payment institutions, crypto-asset service providers and many others.
DORA is built around five pillars: ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing. It is directly supervised by the European Supervisory Authorities (EBA, ESMA, EIOPA) and competent national authorities. For UK firms the FCA's parallel SYSC 15A regime covers similar operational-resilience ground.
Who needs DORA policies?
- EU-regulated banks, insurers and investment firms — directly in scope.
- EU payment institutions and e-money firms — including PSPs under PSD2.
- EU crypto-asset service providers under MiCA — DORA sits alongside MiCA authorisation.
- Critical ICT third-party providers designated by ESAs — including cloud providers serving EU financials.
- UK firms with EU subsidiaries or passporting into the EU — equivalent resilience expected.
Policies you need for DORA
DORA is principles-based but the RTS (Regulatory Technical Standards) spell out precise documentation expectations. These 12 policies cover all five DORA pillars — all included in our EU DORA Financial Services pack:
ICT Risk Management
Article 5–16 — framework, governance, controls.
ICT Third-Party Risk
Article 28–30 — register, contracts, concentration risk.
ICT Incident Management
Article 17–23 — classification matrix, timelines.
Operational Resilience Testing
Article 24–27 — vulnerability scans, pen testing cadence.
Business Continuity
Business impact analysis, RTOs, scenario testing.
Information Security
ISMS aligned to ISO 27001 + DORA enhancements.
Change Management
ICT change governance — approvals, rollback, testing.
Identity & Access Management
Privileged access, MFA, segregation of duties.
Data Protection
DORA + GDPR alignment for EU financial data.
Major Incident Reporting
Initial, intermediate, final report templates.
Subcontracting Policy
Sub-outsourcing chain controls required under Art. 28–30.
Threat-Led Penetration Testing
TLPT readiness for significant firms.
Realistic timeline to DORA readiness
If you haven't yet started, most in-scope firms can reach documentary readiness in 6–10 weeks. Operational evidence accumulates over the following 6–12 months.
- Week 1–2: Buy the EU DORA pack, answer structured questions, receive 12 bespoke policies in 48 hours.
- Week 3–4: Build the ICT third-party register — catalogue every ICT service, classify by criticality, check contracts for DORA clauses.
- Week 5–6: Configure incident classification tooling against the DORA thresholds; run tabletop exercise.
- Week 7–10: Board approval of ICT risk framework, first operational resilience test, distribute policies.
- Ongoing: Annual testing, major-incident reporting as required, TLPT every 3 years (significant firms).
Policy packs for DORA
Further reading
Frequently asked questions
When did DORA come into force?
DORA became directly applicable on 17 January 2025 across all EU member states. Firms were expected to have ICT risk frameworks, third-party registers, and incident classification procedures in place by that date. Supervisory authorities — EBA, ESMA, EIOPA — are now actively reviewing firms' compliance evidence.
Does DORA apply to UK firms?
DORA applies directly to UK firms only if they have EU entities or provide ICT services to EU financial entities. UK firms passporting into the EU typically need to demonstrate equivalent operational resilience. The FCA's SYSC 15A regime covers similar ground — our pack maps to both.
What are the DORA pillars?
Five pillars: (1) ICT Risk Management, (2) ICT Incident Reporting, (3) Digital Operational Resilience Testing including TLPT for significant firms, (4) ICT Third-Party Risk, and (5) Information Sharing. Our policy pack covers documentation for all five.
Who must comply with DORA?
Banks, insurers, investment firms, payment and e-money institutions, crypto-asset service providers, crowdfunding providers, and critical third-party ICT providers designated by ESAs. Proportionality applies — smaller firms have lighter testing and reporting. Our pack scales accordingly.
How does DORA relate to ISO 27001 and NIS2?
DORA is sector-specific; NIS2 covers critical infrastructure more broadly. ISO 27001 is an international management standard — ISO-certified firms have most of DORA's controls already but still need to add TLPT readiness, specific regulator reporting timelines, and concentration risk analysis.
What does the EU DORA Financial Services pack include?
12 DORA-aligned policies across ICT risk management, third-party risk, incident classification and reporting, operational resilience testing, business continuity, information security, change management, IAM, data protection, major-incident reporting, subcontracting, and TLPT. Bespoke to your firm type — see live pricing on the product page.
DORA-ready in 48 hours, not 4 months
Get 12 bespoke DORA policies covering all 5 pillars — lifetime access, no renewal.
Get Started — £600