🇬🇧United Kingdom
DORA compliance in the UK
The UK does not apply DORA directly but has equivalent operational resilience requirements. The FCA, PRA, and Bank of England enforce the UK operational resilience framework which shares objectives with DORA.
Enforcement authority
FCA (Financial Conduct Authority) + PRA (Prudential Regulation Authority) + Bank of England
Maximum sanctions
FCA and PRA can impose unlimited fines, public censures, and business restrictions. Senior managers may face personal liability under SM&CR.
Key obligations
What DORA requires from organizations operating in the UK.
Identify important business services and set impact tolerances (FCA/PRA PS21/3)
Map resources supporting important business services including third-party dependencies
Conduct scenario testing to verify ability to remain within impact tolerances
Comply with Critical Third Parties (CTPs) regime for designated ICT providers
Local context in the UK
The UK operational resilience regime (effective March 2022) predates DORA but shares core concepts. Companies operating in both jurisdictions face dual compliance. The UK Critical Third Parties regime (2024) mirrors DORA's oversight of critical ICT providers.
Frequently asked questions
How does DORA apply in the UK?
The UK does not apply DORA directly but has equivalent operational resilience requirements. The FCA, PRA, and Bank of England enforce the UK operational resilience framework which shares objectives with DORA.
Who enforces DORA in the UK?
FCA (Financial Conduct Authority) + PRA (Prudential Regulation Authority) + Bank of England
What are the penalties for DORA non-compliance?
FCA and PRA can impose unlimited fines, public censures, and business restrictions. Senior managers may face personal liability under SM&CR.
DORA in other jurisdictions
Check your DORA compliance now
Start free scan to see your risk score and applicable obligations.