Skip to content
Azilen / Digital Transformation / DORA Compliance Checklist for UK Financial Services: A Step-by-Step Guide
Digital Transformation
by Kulmohan Makhija
March 25, 2026

DORA Compliance Checklist for UK Financial Services: A Step-by-Step Guide

Featured Image

The EU’s Digital Operational Resilience Act (DORA) came into force on 17 January 2025. Even after Brexit, UK financial firms that operate in the EU, support EU-regulated entities, or form part of their ICT supply chain must comply immediately. This is not a future regulation, it is already active. Yet, 43% of UK financial institutions missed the compliance deadline. The consequences are serious: penalties reach up to 2% of global annual turnover for financial firms and 1% of average daily turnover per day for ICT providers.

This DORA compliance checklist is built specifically for UK businesses, aligning with FCA expectations and technical realities. It covers all five pillars, ICT Risk Management, Incident Reporting, Operational Resilience Testing, Third-Party Risk Management, and Information Sharing. Along with practical checklists, it includes cost insights, a UK case reference, and structured guidance to build a strong, tech-driven compliance framework that stays future-ready.

Picture this. You open your banking app, and nothing works. Not just for you, but for millions of people. Payments fail. Salaries do not reach. Businesses stop. And no one knows when it will be fixed.

This is not a rare situation. In 2018, TSB Bank faced a massive IT failure that locked around 1.9 million customers out of their accounts and led to a £48.65 million fine. One technical issue turned into a full financial crisis overnight.

Now think bigger. Attacks like SolarWinds and major ransomware incidents showed one thing clearly, financial systems are deeply connected, and one weak link affects everyone.

This is exactly why DORA exists. It treats technology failures not as small glitches, but as serious risks to the entire financial system. And for UK firms connected to the EU, this is not optional, it is already in action.

43%

of UK financial firms were not DORA compliant at the January 2025 deadline (Orange Cyberdefense / Censuswide)

Nearly half of UK firms missed the DORA deadline — exposing critical gaps in digital operational resilience.

£842K

average spend by UK firms on DORA compliance measures in the lead-up to January 2025 (Rubrik Zero Labs)

Significant compliance investment reflects the complexity and urgency of meeting DORA requirements.

22,000+

financial entities and ICT providers across the EU directly in scope, thousands more in the UK supply chain

DORA's sweeping scope means supply chain exposure is a systemic risk across the entire financial ecosystem.

For UK firms, DORA brings a double layer of responsibility. You still follow FCA and PRA rules for operational resilience. But if your business connects with the EU in any way, through clients, partners, or as a tech provider, DORA rules apply on top of that. Ignoring either side creates risk from two directions at the same time.

This guide keeps things simple and clear. It explains who needs to follow DORA, what the five key areas actually mean in practice, and what non-compliance could cost in real terms. You will also see a step-by-step path to become compliant without confusion or unnecessary complexity.

No jargon. No overcomplication. Just a practical DORA compliance checklist that helps you take the right action.

💡

"Finance only works with trust. The age of 'move fast and break things' is over. DORA is simply a reality of doing business in the digital age."

— NCC Group, UK Cybersecurity Specialists

The Definitive DORA Scope Table for UK Firms

Before you build a compliance programme, you need to know whether you need one. Here is the complete breakdown of UK entity types, their DORA status, and the FCA equivalent – in one place.

Entity Type
DORA In Scope?
UK FCA Equivalent
Risk Level
Key DORA Articles
UK banks with EU operations (e.g. Barclays, HSBC EU branches)
YES — Full Scope
PS21/3, SS2/21 (PRA)
Critical
Art. 5–16, 17–23
UK payment institutions serving EU clients
YES — Full Scope
FCA SYSC 8, PSRs 2017
Critical
Art. 2(1)(d), 5–16
UK fintechs providing ICT to EU-regulated firms
YES — if critical ICT
FCA SYSC 8.1
High
Art. 28–44
UK cloud providers (AWS, Azure, etc.) used by EU banks
Indirect / pushed down
FCA SS1/21
High
Art. 28, 30–32
UK investment firms with EU fund management
YES — Full Scope
COBS, MiFID II retained UK
Critical
Art. 5–16, 24–26
UK insurance companies (EU branch operations)
YES — Full Scope
Solvency II (retained)
High
Art. 5–14
UK crypto-asset firms (operating in EU under MiCA)
YES — Full Scope
FCA Crypto Registration
High
Art. 2(1)(q)
Small UK fintechs (under 10 employees, no EU ops)
NOT in scope
FCA Threshold Conditions
Low
Art. 2(5) — microenterprise exemption
UK challenger banks (Monzo, Starling — EU passported services)
Partial — EU activity only
FCA Banking Licence
Medium–High
Art. 2(1)(a), 17–23
UK data centres used by EU financial entities
Contractual flow-down likely
FCA SS2/21 outsourcing
High
Art. 28(4), 30

Unlike EU countries where DORA is a direct law, UK firms only need to follow it if they work with the EU. This includes serving EU customers, partnering with EU firms, or offering ICT services to EU banks.

At the same time, the UK is moving in a similar direction. The Financial Conduct Authority (FCA) and PRA are already working on stronger rules under the Financial Services and Markets Act 2023, especially around Critical Third Parties. Many people are already calling this “UK DORA.”

This means one thing, aligning with a DORA compliance checklist today is not just about EU exposure. It also supports FCA operational resilience UK requirements and prepares your business for upcoming regulation.

For firms working on core banking integrations, investing in banking automation UK, or exploring AI in banking, this becomes even more important. Strong UK financial services resilience is no longer optional, it is expected.

The RegTech Compliance Landscape: What UK Digital Banks Must Navigate

DORA Compliance Shield

1
ICT Risk Management FrameworkGovernance & control
2
Incident Management & ReportingDetect, respond, report
3
Digital Operational Resilience TestingThreat-led penetration testing
4
Third-Party ICT Risk ManagementVendor & supply chain oversight
5
Information Sharing ArrangementsThreat intelligence exchange

Before we dive into how RegTech solves these challenges, let’s understand the battlefield. This is the regulatory map every UK digital bank operates in, and it’s not for the faint-hearted.

ICT Risk Management Framework (Pillar 01) (Article 5–16)

DORA mandates that your board, not your IT department, owns ICT risk. This is the cultural shift that most UK firms underestimate. The governance must be documented, board-approved, and reviewed at least annually.

✔ Establish a board-approved ICT Risk Management Framework (IRMF) with defined roles, responsibilities, and annual review cycles
✔ Map all critical business services to their underlying ICT systems and data flows (full dependency mapping)
✔ Conduct a comprehensive ICT risk assessment covering confidentiality, integrity, availability, and authenticity (CIAA)
✔ Implement and document information security policies aligned to ISO 27001 or NIST CSF
✔ Define and enforce multi-layered network segmentation, access controls (RBAC/ABAC), and encryption standards (AES-256 at rest, TLS 1.2+ in transit)
✔ Establish change management procedures with pre-migration testing requirements (the TSB lesson)
✔ Define Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for all critical systems
✔ Maintain a live ICT asset inventory updated at minimum quarterly
✔ Implement continuous vulnerability scanning and patch management SLAs (Critical: 72hrs, High: 7 days)
✔ Appoint a named ICT Risk Manager at senior executive level with direct board reporting line

ICT-Related Incident Management & Reporting (Pillar 02) (Article 17–23)

When something goes wrong, and with cyber threats rising, it is a matter of when, not if, DORA gives you very little time. The reporting timelines are tight and the classification criteria are precise. This is where most firms stumble.

✔ Establish a documented ICT incident management process with classification criteria based on DORA’s materiality thresholds
✔ Build an escalation matrix from Level 1 (minor disruption) to Level 3 (major ICT incident requiring regulatory notification)
✔ Implement SIEM (Security Information and Event Management) tooling capable of real-time incident detection and log correlation
✔ Submit Initial Notification to competent authority within 4 hours of classifying a major ICT incident (or no later than 24 hours from detection)
✔ Submit Intermediate Report with root cause analysis within 72 hours of the initial notification
✔ Submit Final Report with full remediation timeline within 1 month of the incident
✔ Classify incidents using the EU harmonised taxonomy (impact on clients, geographic spread, economic impact, reputational consequences)
✔ Maintain an ICT incident register with status tracking, timestamps, classification, and evidence logs
✔ Conduct post-incident reviews (PIRs) within 2 weeks of resolution for all Major ICT Incidents
✔ Integrate incident reporting workflows with FCA regulatory reporting (GABRIEL / RegData) to avoid double-entry burden

Digital Operational Resilience Testing (Pillar 03) (Article 24–27)

Think of this as stress-testing your digital systems, similar to how the Bank of England tests financial stability. DORA requires different levels of testing, from basic scans to advanced simulations like Threat-Led Penetration Testing (TLPT), which mimics real-world cyber attacks.

✔ Conduct annual vulnerability assessments across all in-scope ICT systems using authenticated scanning tools (Tenable, Qualys, or equivalent)
✔ Perform annual scenario-based testing simulating real disruption events (cloud outage, ransomware attack, supply chain failure)
✔ Implement Threat-Led Penetration Testing (TLPT) at least once every 3 years for significant firms, using the TIBER-EU framework
✔ Conduct quarterly penetration testing for internet-facing critical systems and payment gateways
✔ Execute Business Continuity Plan (BCP) and Disaster Recovery (DR) drills at least twice a year with proper documentation
✔ Test backup restoration monthly, not just backups, but full data recovery and validation
✔ Conduct Red Team exercises to test detection and response end-to-end
✔ Document all test results, define actions, assign owners, and track progress to closure with evidence
✔ Ensure TLPT results are reviewed by the board and shared with regulators where required
✔ Apply proportionality, smaller firms may follow simpler testing plans but must clearly document the risk-based reasoning

Third-Party ICT Risk Management (Pillar 04) (Article 28–44)

This is the pillar that keeps many UK IT leaders on edge. Under DORA, if your cloud provider, SaaS vendor, or data centre fails, the responsibility still sits with you. Saying “it was the vendor’s fault” is no longer acceptable under the regulation.

✔ Build and maintain a complete ICT Third-Party Register (ICTPSR), including direct and important indirect (fourth-party) providers
✔ Classify all third-party ICT relationships based on criticality and clearly document how this is assessed
✔ Perform pre-contract checks covering financial stability, security standards, business continuity, and compliance status
✔ Ensure all ICT contracts include key DORA clauses such as audit rights, service levels, incident reporting, data portability, and exit terms
✔ Review existing contracts and update them with DORA requirements (January 2025 deadline — check status immediately)
✔ Map all sub-contractors (fourth-party risk) for critical services, not just primary vendors
✔ Conduct annual third-party risk assessments with proper documentation
✔ Create clear exit strategies and transition plans for all critical ICT providers, including concentration risk scenarios
✔ Monitor third-party performance regularly using KPIs and KRIs with defined escalation points
✔ Engage with suppliers marked as Critical Third-Party Providers (CTPPs), as they will face direct regulatory oversight

Information Sharing Arrangements (Pillar 05) (Article 45)

DORA encourages firms to share cyber threat information with each other. It is not strictly mandatory, but it is strongly recommended. Think of it like a financial sector “neighbourhood watch,” where firms share risks, attack patterns, and warning signs to stay protected together.

✔ Assess eligibility and join trusted cyber threat intelligence sharing groups within the financial sector
✔ Set up internal processes to receive, review, and act on threat intelligence from ISACs (Information Sharing and Analysis Centres)
✔ Share anonymised incident data and indicators of compromise (IoCs) where legally allowed
✔ Integrate threat intelligence into your SIEM and detection systems (using formats like STIX/TAXII)
✔ Ensure all sharing follows confidentiality rules and complies with UK GDPR and the Data Protection Act 2018
✔ Review and update your participation in these networks at least once a year
✔ Inform the FCA if you are part of cross-border intelligence sharing involving EU organisations

DORA Qualification Checker
Answer 3 quick questions
Are you a UK financial services firm?
Regulated by the FCA or PRA
YES
Do you have any EU connection?
Clients, partners, subsidiaries or EU operations
YES
Do you provide ICT services to EU financial entities?
Cloud, SaaS, data, infrastructure or core banking
YES
You are a DORA-impacted firm
Full or partial compliance applies — start with your DORA compliance checklist and assign owners across your organisation.

The £330 Million Warning: What TSB’s IT Disaster Tells Every UK Bank About DORA

If there is one case study that encapsulates why DORA exists, it is TSB Bank in 2018. And it did not happen in a small obscure fintech. It happened at a mainstream UK high street bank with millions of customers.

UK Real-World Case Study £330M Total Cost

TSB Bank — The Proteo4UK
IT Migration Failure

In April 2018, TSB attempted to migrate 5.4 million customer accounts from a Lloyds Banking Group legacy platform to a new system called Proteo4UK — a UK-specific version of its Spanish parent company Sabadell's platform. The migration was planned over four years. It went catastrophically wrong in a single weekend.

1.9M Customers locked
out of accounts
£330M Total cost including
compensation & fines
£48.65M FCA + PRA combined
regulatory fine

The FCA found that TSB "failed to organise and control the IT migration programme adequately", and failed to manage the operational risks arising from its IT outsourcing arrangements with its critical third-party supplier. TSB was relying on up to 85 sub-contractors through its IT provider SABIS — and had not verified that SABIS's supplier management model complied with TSB's own outsourcing policy.

Let's put this in DORA terms. TSB failed on four of DORA's five pillars simultaneously:

Pillar 1 (ICT Risk Management): No adequate pre-migration testing. RTOs and RPOs not validated. Governance insufficient.
Pillar 2 (Incident Reporting): No structured escalation plan. Customer communication chaotic. 225,000+ complaints.
Pillar 3 (Resilience Testing): Pilots were too small-scale. No live-environment testing. No phased rollout.
Pillar 4 (Third-Party Risk): No due diligence on SABIS's readiness. Supply chain mapped but not verified. No exit strategy.
The DORA Consequence Today

Under DORA's current enforcement regime, a failure of this scale would trigger not just FCA/PRA action, but EU supervisory authority investigation, mandatory public disclosure, and potential daily fines. The lesson for every UK bank: untested technology, unverified third parties, and unmapped supply chains are now existential liabilities — not just operational risks.

What this means for your firm
  • Workflow clarity everywhere
  • Scalable, future-proof architecture
  • Efficiency that compounds daily

What the Industry Is Saying About DORA

The DORA discussion is very much alive on social platforms and in boardrooms. Here is the kind of sentiment resonating across UK financial services communities.

The UK’s NCSC regularly publishes cyber resilience guidance aligned with DORA principles.

The Cyber Defence Alliance (a consortium of UK and EU banks) has been particularly active in sharing threat intelligence relevant to DORA Art. 45 information-sharing obligations.

How UK Financial Firms Are Using Technology to Achieve DORA Compliance

Compliance does not have to mean armies of manual reviewers and spreadsheet-driven audits. The most forward-thinking UK firms are deploying automation and AI in banking compliance programmes to meet DORA obligations at scale.

AI-Powered Incident Classification

UK banks are deploying ML-based SIEM tools that automatically classify ICT incidents against DORA’s materiality thresholds. A system that previously required a human analyst 2–4 hours to assess now generates a preliminary DORA classification within minutes, giving compliance teams a head-start on the 4-hour reporting clock.

Tools like Splunk SIEM, Microsoft Sentinel, and IBM QRadar are being configured with DORA-specific detection models.

This shift strongly supports Data-driven Forecasting & Reporting, helping teams move faster with accurate, real-time insights.

Automated ICT Third-Party Registers

DORA’s requirement for comprehensive ICT third-party registers (Art. 28) becomes difficult if handled manually. UK fintechs are using GRC platforms like ServiceNow IRM, Archer, and OneTrust, integrated with contract systems to auto-populate vendor registers, trigger reviews, and flag missing clauses.

This level of automation aligns closely with modern Investment & Wealth Management Tools, where structured data and compliance tracking are essential.

Continuous Vulnerability Management

Instead of annual pen-tests, UK banks are shifting to continuous platforms like Tenable.io and Qualys VMDR that provide real-time risk scoring. This meets DORA requirements while building a continuous evidence trail for regulators.

This approach also complements Payment Gateway & Transaction Platforms, where uninterrupted security and performance are critical.

Board-Level ICT Risk Dashboards

DORA requires board-level ownership of ICT risk. UK firms are using dashboards (Power BI, Tableau) to convert technical metrics into clear KPIs and KRIs. This ensures leadership understands risk without technical overload.

These dashboards often integrate with Data-driven Forecasting & Reporting systems, making decision-making faster and more accurate.

Supply Chain Visibility Platforms

The TSB incident highlighted the importance of fourth-party risk. UK banks now use platforms like BitSight and SecurityScorecard to monitor vendors and their supply chains in real time. Alerts trigger when risks increase, allowing proactive action.

This visibility is critical for Payment Gateway & Transaction Platforms, where even small disruptions impact customer trust.

Digital Twin Testing Environments

Leading UK financial institutions are building digital twin environments, virtual replicas of systems, to safely run resilience testing. This allows ransomware simulations, outage drills, and scenario testing without affecting live systems.

This is where AI in banking truly connects with advanced systems like Automated Reconciliation Systems, ensuring both compliance and operational accuracy.

Azilen’s Engineering Blueprint: Building DORA-Ready Digital Banking Platforms

Compliance gaps in digital banking do not happen because teams ignore regulation. They happen because compliance is added too late, on systems that were never designed for regulatory pressure at scale.

For UK firms dealing with DORA, this approach creates risk. DORA expects resilience, not patchwork fixes.

Azilen is a Digital Transformative Company working with UK fintech firms, challenger banks, payment providers, and wealth platforms to build systems that align with a DORA compliance checklist from the ground up. The focus is simple, design systems that meet both FCA operational resilience UK requirements and EU expectations without constant rework.

Instead of adding compliance later, Azilen builds UK financial services resilience directly into the architecture.

DORA-Aligned ICT Risk Architecture: Systems are designed with clear risk visibility, asset mapping, and dependency tracking. This ensures firms meet DORA’s ICT risk management requirements while supporting scalable banking automation UK environments.

Real-Time Incident Detection & Reporting Systems: Integrated monitoring frameworks detect, classify, and report incidents within strict timelines. This supports DORA’s reporting requirements while leveraging AI in banking for faster and more accurate incident handling.

Automated Third-Party Risk Management: Built-in frameworks track vendors, contracts, and fourth-party dependencies in real time. This ensures continuous oversight aligned with DORA’s third-party risk requirements, especially for firms managing complex ecosystems.

Continuous Resilience Testing Infrastructure: Platforms are designed to support ongoing testing — from vulnerability scans to scenario simulations. This helps firms stay audit-ready while maintaining strong operational resilience.

Compliance-Ready Data & Reporting Layers: Structured data systems ensure all regulatory reporting is consistent, traceable, and audit-ready. This reduces manual effort and strengthens long-term compliance.

Azilen does not treat compliance as a final step before launch. It becomes part of the engineering foundation.

FAQs: DORA Compliance Checklist

1. What is a DORA compliance checklist for UK financial firms?

A DORA compliance checklist is a structured guide that helps UK financial institutions meet the EU’s Digital Operational Resilience Act requirements. It covers areas like ICT risk management, incident reporting, resilience testing, and third-party risk. Even UK firms must follow it if they have EU exposure, making it essential for building strong UK financial services resilience.

2. Do UK firms need to follow DORA after Brexit?

Yes, if they operate in the EU, serve EU clients, or provide ICT services to EU-regulated entities. In such cases, DORA applies alongside FCA operational resilience UK rules. This creates a dual compliance requirement, where firms must align with both UK and EU expectations.

3. How does DORA impact banking automation in the UK?

DORA pushes firms to build secure and resilient systems, which directly affects banking automation UK strategies. Automated systems must now include real-time monitoring, incident response, and audit-ready reporting to meet regulatory standards.

4. What role does AI play in DORA compliance?

AI in banking helps firms meet DORA requirements by improving incident detection, risk analysis, and reporting speed. AI-powered tools can classify incidents faster, reduce manual workload, and support continuous monitoring, making compliance more efficient and accurate.

5. How can firms build long-term UK financial services resilience under DORA?

Firms should design systems with compliance built into the foundation rather than adding it later. This includes following a DORA compliance checklist, strengthening FCA operational resilience UK alignment, managing third-party risks, and investing in scalable, secure digital infrastructure.

Glossary

DORA (Digital Operational Resilience Act): EU regulation that ensures financial firms build strong, secure, and resilient digital systems.

DORA Compliance Checklist: A step-by-step guide that helps firms meet DORA requirements across risk, testing, reporting, and third-party management.

FCA Operational Resilience UK: Guidelines set by the UK regulator to ensure financial services remain stable and functional during disruptions.

ICT (Information and Communication Technology): All systems, networks, software, and data used to run digital banking operations.

ICT Risk Management Framework: A structured approach to identify, assess, and manage risks related to digital systems.

Incident Reporting: The process of identifying, classifying, and reporting system failures or cyber incidents within defined timelines.

Operational Resilience Testing: Testing systems through simulations and drills to ensure they can handle disruptions and recover quickly.

Third-Party ICT Risk Management: Managing risks that come from vendors, cloud providers, and external technology partners.

Information Sharing Arrangements: Secure ways for financial firms to share cyber threat intelligence and risk insights with each other.

Banking Automation UK: Use of technology to automate banking processes like payments, compliance, and reporting.

AI in Banking: Use of artificial intelligence to improve fraud detection, risk management, and operational efficiency.

UK Financial Services Resilience: The ability of financial institutions to continue operations even during disruptions or cyber threats.

SIEM (Security Information and Event Management): A system that monitors, detects, and analyses security events in real time.

TLPT (Threat-Led Penetration Testing): Advanced testing that simulates real cyber attacks to identify weaknesses in systems.

Core Banking Integrations: Connecting different banking systems and platforms to ensure smooth operations and data flow.

Contact Us
Rest assured. Your data is secure with us.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
NAME*
Kulmohan Makhija
Kulmohan Makhija
Vice President – Growth & Enterprise Strategy

Kulmohan Makhija is an enterprise technology and business strategy writer with over 12 years of experience analyzing digital transformation across global and European markets. His work focuses on applied artificial intelligence, product engineering, enterprise architecture, and large-scale legacy modernization. He explores how complex organizations modernize core systems, adopt AI responsibly, and align innovation with regulatory, cultural, and operational realities — particularly within the UK and broader European technology landscape. With a pragmatic enterprise perspective, Kulmohan emphasizes transformation that delivers measurable impact without disrupting mission-critical operations. His writing bridges executive strategy with technical depth, providing clarity for technology leaders, product teams, and decision-makers navigating modernization journeys.

Related Insights

FCA-Ready Digital Onboarding Azilen Technologies
Digital Transformation
16 mins
FCA-Ready Digital Onboarding: How UK Banks Are Automating KYC and AML at Scale
Feb 18, 2026
Read More
DPP early adopter advantage UK
Digital Transformation
22 mins
Why UK Manufacturers Who Adopt DPP Early Will Dominate EU Markets by 2027
Mar 31, 2026
Read More
AI Automation is Reducing Costs in UK Banks
Automation
78 mins
How AI Automation is Reducing Costs in UK Banks
Mar 09, 2026
Read More
AI Digital Product Passport
Digital Transformation
23 mins
AI and Digital Product Passport: How UK Manufacturers Are Using AI DPP to Automate Compliance in 2026
Mar 31, 2026
Read More
Reimagining Loan Origination in the UK
Automation
21 mins
Reimagining Loan Origination in the UK: AI-Driven Credit Platforms Replacing Legacy Lending Systems
Feb 18, 2026
Read More