DORA vs FCA operational resilience: comparing the two regime

DORA vs FCA operational resilience: comparing the two regimes

UK financial services firms that operate across the UK and EU face two distinct but related operational resilience regulatory frameworks. The FCA’s operational resilience framework — established under Policy Statement PS21/3 and now fully in force — applies to UK-regulated firms. The Digital Operational Resilience Act — the EU regulation that came into effect on January 17 2025 — applies to EU-regulated financial entities. For UK groups with EU subsidiaries or branches, compliance with both is required simultaneously. Understanding the similarities, differences and areas of potential conflict between the two regimes is essential for compliance professionals, operational risk managers, and the board-level functions responsible for operational resilience governance.

Scope and coverage

The FCA’s operational resilience framework applies to all FCA-regulated firms in the UK — banks, investment firms, payment institutions, e-money institutions, insurers and others — with proportionality applied to smaller and less complex firms. The framework focuses on the continuity of services provided to external clients: the firm must identify its important business services, set impact tolerances for each, and demonstrate through testing that it can remain within those tolerances when disrupted.

DORA applies to a similar but not identical population of EU-regulated entities — credit institutions, investment firms, payment institutions, e-money institutions, alternative investment fund managers, UCITS management companies and a range of other financial market participants. DORA’s scope is specifically digital and ICT-focused: it addresses the resilience of the firm’s information and communications technology infrastructure, data security, ICT risk management, and the digital aspects of third-party dependencies. DORA does not address non-ICT causes of operational disruption in the same way the FCA framework does.

The core concepts compared

The FCA framework is built around the important business service and the impact tolerance. A service the firm provides to external clients that would cause intolerable harm if disrupted is an important business service; the maximum duration of disruption the firm will tolerate before that harm becomes intolerable is the impact tolerance. The framework is deliberately broad — it applies regardless of whether the cause of disruption is a cyberattack, a flood, a power failure, a third-party outage, or the loss of key staff.

DORA is built around ICT risk management. Firms must have a comprehensive ICT risk management framework covering identification and classification of ICT assets, protection and prevention measures, detection of anomalous activity, response and recovery protocols, and learning and evolving from incidents. The digital resilience testing requirements, incident reporting obligations, and third-party oversight provisions all flow from this ICT-specific framework. DORA does not use the concepts of important business services or impact tolerances — its equivalent is the concept of digital operational resilience, assessed through testing and demonstrated through compliance with the ICT risk management requirements.

Resilience testing

The FCA requires firms to test their important business services against severe but plausible scenarios to demonstrate they can remain within their impact tolerances. The requirement is deliberately non-prescriptive on methodology — firms can use tabletop exercises, simulation testing, technical testing, or a combination, provided they can demonstrate that the testing is sufficiently challenging to constitute a genuine test of the impact tolerance.

DORA prescribes a more structured testing programme. All in-scope firms must conduct basic digital operational resilience testing — including vulnerability assessments, network security assessments, gap analyses and physical security assessments — at least annually. Significant firms, as determined by size and systemic importance, must also conduct Threat-Led Penetration Testing at least every three years. TLPT is a highly specific methodology — it uses intelligence about actual threats to design adversarial testing of the firm’s systems, conducted by qualified external testers — that goes significantly beyond what most firms conduct under the FCA’s framework.

The TLPT requirement is one of the most operationally demanding differences between the two regimes. UK firms with EU entities that are considered significant under DORA must budget for, procure and manage TLPT exercises that will test their systems under conditions designed to replicate the techniques of actual threat actors. The FCA has not required TLPT under its framework, though it has encouraged firms to consider intelligence-led penetration testing as good practice.

ICT incident reporting

The FCA does not have a standalone ICT incident reporting regime — firms report material operational incidents to the FCA under the existing SUP 15 notification framework, which requires firms to notify the regulator of significant operational events without prescribing specific timeframes for digital incidents.

DORA creates a dedicated and highly prescriptive ICT incident reporting regime. Major ICT incidents must be reported through a three-stage process: an initial notification within four hours of the incident being classified as major and no later than 24 hours after first detection; an intermediate report within 72 hours of the initial notification; and a final report within one month of resolution. The content of each report is specified in DORA’s Regulatory Technical Standards. The incident must be classified against DORA’s criteria for a major ICT incident before the reporting obligations are triggered — criteria relating to the number of clients affected, the duration of the disruption, and the financial and reputational impact.

Third-party oversight

The FCA addresses third-party risk through its outsourcing rules and the expectation that firms’ operational resilience programmes address third-party dependencies as part of their important business service mapping. Firms must understand which third parties underpin their important business services, include third-party failure in their testing scenarios, and have credible exit strategies from critical providers.

DORA creates a more structured third-party management framework. Firms must maintain a complete register of all ICT third-party contractual arrangements, conduct rigorous due diligence before entering new arrangements, include specified minimum provisions in their contracts, assess the concentration risk of reliance on a small number of providers, and develop exit strategies for material arrangements. The introduction of the CTPP designation — with direct ESA oversight of critical providers — adds a further layer that has no equivalent in the FCA framework.

Practical approach for dual-regime firms

UK groups with EU entities should not attempt to maintain entirely separate compliance programmes for the two regimes. The conceptual overlaps — both require testing, both require third-party management, both require incident response — create the opportunity for a unified resilience framework that satisfies both. The practical approach is to build on the broader FCA framework (important business services, impact tolerances, severe but plausible scenarios) and then layer the DORA-specific requirements on top: TLPT for significant EU entities, the three-stage incident reporting process, the DORA-compliant contract provisions, and the CTPP management obligations.

FD Capital places operational resilience professionals, chief risk officers and senior compliance officers in UK and dual-regulated firms navigating both frameworks. The specific knowledge required for this function — combining UK regulatory expertise with DORA’s detailed technical requirements — is rare and in growing demand as the May 2025 DORA compliance deadline has passed and supervisory scrutiny intensifies.

Related Guides

• Important Business Services: How to Identify Them
• FCA Impact Tolerances: Setting, Testing and Reviewing
• Critical ICT Third Parties: What UK Firms Need to Know
• ICT Incident Reporting Under DORA
• DORA: What UK Firms Need to Know