DORA and Operational Resilience: What It Means for Your Technology and Suppliers
DORA has turned operational resilience from good practice into a legal obligation for financial services, and its reach does not stop at the regulated firm. It extends to the technology suppliers behind them. Here is what it actually requires, in plain terms, and what to do about it, whether you are the financial entity or the provider they depend on.
For years, operational resilience was a matter of good governance and sensible engineering. You backed things up, you had a recovery plan, you hoped you never needed it. DORA changed that. Since it began to apply on 17 January 2025, resilience is a hard legal requirement for financial services across the EU, written into regulation with real supervisory teeth. And because a bank is only as resilient as the technology under it, DORA pushes those obligations straight down into the suppliers, the cloud platforms and the vendors that keep the sector running. This guide explains what it means without the jargon, and what a sensible response looks like.
DORA is not just a cybersecurity rule. It is a resilience rule, and resilience is a supply chain problem. The regulation makes financial firms responsible for the operational resilience of the entire technology chain they rely on, which means the questions it forces are as much about your vendors and your exit plans as about your own systems.
What DORA is and who it applies to
DORA is the Digital Operational Resilience Act, an EU regulation that applies directly across all member states from 17 January 2025. Its purpose is to make sure the financial system can withstand, respond to and recover from technology disruption, whether that is a cyber attack, an outage or a failure at a supplier.
It applies to a wide span of financial entities: banks, insurers, investment firms, payment and electronic money institutions, crypto asset service providers, and many more. It also reaches the ICT third party providers that serve them, and the most systemically important of those can be designated as critical providers and supervised directly. If you are a UK business, do not assume you are out of scope. A UK firm with EU operations, or a technology provider delivering services into EU financial entities, can be pulled into DORA through the contractual and oversight requirements its clients now have to impose. The obligation flows down the chain.
The five pillars, in plain English
DORA is built on five areas. Strip out the legal language and they are straightforward.
- ICT risk management. Have a proper framework for identifying, protecting against, detecting and recovering from technology risk. This is the foundation the other four sit on, owned at board level, not buried in IT.
- Incident reporting. Detect, classify and report major ICT related incidents to your regulator within defined timeframes. You need the processes to know when something is serious and the discipline to report it fast.
- Resilience testing. Test your resilience regularly, and for significant firms that includes threat led penetration testing, an advanced, intelligence driven exercise carried out on live systems at least every three years.
- Third party risk management. Manage the risk from your ICT suppliers actively. Keep a register of every ICT arrangement, put resilience, audit and exit terms in the contracts, and understand your concentration risk.
- Information sharing. Share threat intelligence with other firms, which is encouraged rather than mandated, to lift resilience across the sector.
What it actually means for your technology
Behind the compliance language, DORA forces a set of genuinely useful engineering and commercial questions. Can you actually recover, in the time you claim, and have you tested it rather than assumed it. Is your backup and disaster recovery real and proven, not a policy document. If a critical cloud service or vendor failed, or you needed to leave it, could you, and how long would it take. That last one matters more than firms expect, because DORA expects tested exit plans for important ICT services, and a great many organisations have never seriously tried to move off a platform they depend on.
Concentration risk. If most of your critical services sit with one cloud provider or one vendor, that is exactly the single point of failure DORA is designed to expose. You do not necessarily have to change it, but you do have to understand it, document it, and have a credible plan for the day it fails. Most firms have never mapped this honestly.
Third party and supplier risk is where most of the work sits
The heaviest lifting in DORA is the third party pillar, and it is the part firms most often underestimate. You need a complete register of information covering every ICT arrangement you rely on, which is harder than it sounds once shadow contracts and sub outsourcing are included. Your contracts have to carry specific resilience, audit and exit provisions, so old agreements will need renegotiating. And you need to understand not just your direct suppliers but the critical ones behind them, because supply chain risk does not stop at your first tier. The most systemically important providers to the sector can be designated as critical and brought under direct oversight, but the responsibility for managing your own supplier chain stays firmly with you.
The UK picture, if you are not in EU scope
If you are a UK only firm, DORA itself does not bind you, but do not read that as no obligation. The UK has built its own operational resilience framework on a parallel track. Firms have had to identify their important business services, set impact tolerances for them and stay within those tolerances, with the transition period having ended in March 2025. Alongside that, the UK introduced its Critical Third Parties regime, with final rules from the Bank of England, PRA and FCA effective from 1 January 2025, allowing the most systemically important suppliers to the financial sector to be designated and supervised. The detail differs from DORA, but the direction is identical: resilience of important services, tested and evidenced, with real scrutiny of the suppliers underneath. A firm operating in both the UK and the EU has to satisfy both regimes, so the sensible move is to build one resilience approach that answers both rather than two that overlap.
What to do now
The firms handling this well are not treating it as a paperwork exercise. They are mapping their important services and the technology and suppliers each one depends on, testing recovery for real rather than on paper, getting the register and the contracts in order, and being honest about concentration and exit. Done properly, that is not just compliance. It is the resilience you would want even if no regulator were watching, which is the right way to think about it.
How C4C helps
DORA sits exactly where regulation, technology and suppliers meet, which is our territory. We are independent, with no platform or vendor to protect, and we have spent decades on the vendor side of these relationships, building the contracts, the exit terms and the resilience commitments that firms now have to hold suppliers to. That is the difference: we know where a supplier will genuinely stand behind a resilience or recovery claim and where it is hoping you never test it. We help you map your critical services and the technology chain beneath them, pressure test recovery and exit rather than assume it, get the register and the contracts to where DORA needs them, and understand your concentration risk with clear eyes. Independent, practical, and grounded in how the other side of the table actually works.
Prefer to start with a free, no obligation diagnostic? Book our DORA Readiness Assessment, an independent expert read of where you stand.
Working through DORA or UK operational resilience?
Tell us where you are, whether you are the financial entity or the technology provider, and what is prompting the review. We will give you an independent, vendor neutral view on the resilience, supplier and exit questions that matter most, grounded in how these contracts and commitments really work. We have built and negotiated these supplier relationships from the inside.
Prefer email? Reach us directly at hello@c4cgroup.co.uk.
Frequently asked questions
What is DORA?
DORA is the Digital Operational Resilience Act, an EU regulation that has applied directly across all member states since 17 January 2025. It requires financial firms and the ICT providers that serve them to be able to withstand, respond to and recover from technology disruption, whether a cyber attack, an outage or a supplier failure. It is built on five pillars: ICT risk management, incident reporting, resilience testing, third party risk management, and information sharing.
Who does DORA apply to?
It applies to a broad range of EU financial entities, including banks, insurers, investment firms, payment and electronic money institutions and crypto asset service providers, and to the ICT third party providers that serve them. The most systemically important providers can be designated as critical and supervised directly. In practice its reach is wide, because financial firms must now pass resilience, audit and exit obligations down to their suppliers through contracts.
Does DORA apply to UK firms?
DORA does not directly bind a UK only firm, but do not assume you are out of scope. A UK business with EU operations, or a technology provider delivering services into EU financial entities, can be drawn into DORA through the contractual and oversight requirements its clients are now obliged to impose. The obligation flows down the supply chain, so many UK providers feel DORA through their EU customers even without being directly regulated by it.
What does DORA require for third party ICT suppliers?
The third party pillar is the heaviest part. You must keep a complete register of information covering every ICT arrangement you rely on, ensure contracts carry specific resilience, audit and exit provisions, and understand your concentration risk where critical services sit with a single provider. You also need visibility beyond your direct suppliers to the critical ones behind them. The most systemically important providers can be designated as critical and brought under direct oversight, but responsibility for managing your own supplier chain stays with you.
What is threat led penetration testing under DORA?
Threat led penetration testing, or TLPT, is the most advanced testing DORA requires. Unlike a standard penetration test, it is driven by real threat intelligence about the actors likely to target your firm and sector, and it is carried out against live production systems to simulate a genuine attack. Significant financial entities must perform it at least every three years, and a share of the tests must be run by an independent external tester. It is designed to prove resilience under realistic conditions rather than tick a box.
How is DORA different from the UK operational resilience rules?
They share the same intent but sit on separate legal tracks. DORA is an EU regulation with a detailed, prescriptive framework across the five pillars. The UK approach requires firms to identify their important business services, set impact tolerances and stay within them, with the transition period having ended in March 2025, and adds a Critical Third Parties regime effective from 1 January 2025 for the most systemically important suppliers. The detail differs, but both demand tested resilience of important services and real scrutiny of the suppliers underneath, so a firm operating in both should build one approach that satisfies both.