DORA Compliance Recruitment

DORA Compliance & ICT Risk Recruitment for UK Firms

FD Capital places DORA Compliance Officers, ICT Risk leaders, Heads of Third-Party Risk, and senior operational resilience professionals into UK firms operating within the scope of the EU’s Digital Operational Resilience Act (Regulation (EU) 2022/2554). The Regulation entered into application on 17 January 2025 and applies directly to financial entities authorised in the EU. UK firms become caught within DORA’s framework through three principal routes: where they have EU subsidiaries or branches, where they provide services to EU financial entities, and where they are designated as Critical ICT Third-Party Service Providers (CTPPs) by the European Supervisory Authorities. Adrian Lawrence FCA, founder of FD Capital and a Fellow of the ICAEW, leads every DORA-related recruitment mandate personally given the technical complexity of the Regulation and the consequences of getting senior risk and compliance hires wrong.

DORA has driven substantial recruitment activity across UK firms with EU exposure. The Regulation’s five operational pillars — ICT risk management, ICT-related incident management and reporting, digital operational resilience testing including Threat-Led Penetration Testing (TLPT), management of ICT third-party risk, and information sharing arrangements — collectively require senior professionals with deep technical expertise, regulatory engagement capability, and the operational instinct to drive substantive implementation rather than tick-box compliance. The combination of EU regulatory scrutiny, the cross-border supervisory complexity for UK firms, and the relative scarcity of candidates with substantive prior DORA implementation experience has tightened the recruitment market materially.

Call 020 3287 9501 or email recruitment@fdcapital.co.uk. Shortlists typically delivered within seven to ten working days for senior DORA mandates.

Adrian Lawrence FCA — Founder, FD Capital
Fellow of the ICAEW | ICAEW Verified Fellow | ICAEW-qualified for over 25 years | Placing senior risk and compliance leaders into UK FCA-regulated firms since 2018, including substantive engagement with DORA-driven recruitment for cross-border firms.

Why DORA Compliance Recruitment Requires Specialist Sector Experience

DORA is materially more prescriptive than the UK’s own SS1/21 / SYSC 15A operational resilience framework. The Regulation specifies particular contractual provisions for ICT third-party arrangements, particular incident classification criteria and compressed reporting timelines (24 hours initial, 72 hours intermediate, one month final), particular testing methodologies including TLPT, and particular governance arrangements that the management body of each financial entity must approve and oversee. The European Supervisory Authorities — EBA, ESMA and EIOPA — have published extensive Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) operationalising the Regulation in detail. Compliance requires senior leaders who can navigate this technical complexity substantively.

For UK firms, DORA-related recruitment carries an additional dimension: the parallel UK operational resilience framework. UK SS1/21 / SYSC 15A reached full implementation on 31 March 2025 and applies to UK regulated activity. UK firms with EU operations therefore operate under both regimes simultaneously — typically through an integrated framework that meets the higher of the two standards on each specific requirement. Senior candidates capable of navigating both regimes, building integrated frameworks, and maintaining productive supervisory relationships with both UK and EU authorities are particularly valued in the recruitment market.

The Critical ICT Third-Party Service Provider regime adds a third dimension. Major cloud providers, SaaS platforms, and other systemically important ICT providers can be designated as CTPPs by the ESAs and become directly subject to oversight by an appointed Lead Overseer with penalty exposure of up to 1% of average daily worldwide turnover. UK firms whose business models position them as potential CTPPs require senior candidates with regulatory engagement capability for direct EU oversight, distinct from the candidate profile typical for UK FCA-regulated firms.

DORA Roles We Recruit For

DORA Compliance Officer / DORA Programme Lead

The senior leader responsible for the firm’s overall DORA compliance, coordinating across the five pillars, managing the relationship with EU supervisors and the EU client base, overseeing the implementation programme, and reporting to the firm’s executive committee and board. The role typically sits within Compliance or Risk with strong working relationships across Technology, Operations, and Procurement. For larger firms with material EU exposure, the role is typically a senior standalone appointment; for smaller firms it may be combined with broader operational resilience or compliance responsibility.

Head of ICT Risk / Chief Information Security Officer (CISO)

Pillar 1 of DORA requires substantive uplift in ICT risk management capability. The Head of ICT Risk or CISO role has expanded materially in scope and seniority across DORA-affected firms, often becoming an Executive Committee member. Senior candidates with both technical depth (architecture, security operations, cloud platforms, incident management) and regulatory engagement experience are particularly valued. The role typically owns the ICT risk management framework, the security operations function, and the operational practices that DORA requires.

Head of Operational Resilience (with DORA scope)

The intersection of DORA and the UK SS1/21 framework has created demand for senior leaders who can navigate both regimes coherently. The Head of Operational Resilience role typically owns the integrated framework, supported by Operational Resilience Managers with specific pillar or jurisdictional focus. Candidates with experience operating across both UK and EU resilience requirements command premium compensation given the relative scarcity of dual-regime expertise.

Head of Third-Party Risk Management

Pillar 4’s substantive requirements on the third-party register, contractual provisions, ongoing monitoring, and exit strategies have driven the emergence of dedicated Third-Party Risk Management functions. The Head of Third-Party Risk role typically reports to the Chief Risk Officer or Head of Operational Resilience, with responsibility for the firm’s overall third-party risk framework including but not limited to ICT third parties.

ICT Incident Manager / Head of Cyber Operations

Pillar 2’s compressed reporting timelines have driven uplifts in incident management capability, with dedicated senior roles owning the firm’s classification, escalation, and reporting processes. These roles typically sit within Cyber Security Operations Centres or equivalent functions, with senior leadership accountable for the speed and accuracy of regulatory reporting decisions.

Head of Operational Resilience Testing / TLPT Lead

For firms within the TLPT scope, the testing programme requires dedicated senior leadership. Heads of Operational Resilience Testing manage both Pillar 3 testing and the broader UK scenario testing, ensuring the firm’s testing arrangements meet both regulatory requirements and produce substantive resilience insight.

Engagement Models for DORA-Related Senior Roles

Permanent Appointments

Most DORA Compliance Officer, Head of ICT Risk, Head of Operational Resilience, and Head of Third-Party Risk appointments are permanent given the multi-year nature of DORA implementation and ongoing compliance. Permanent recruitment typically involves comprehensive search, structured candidate assessment, and substantial board engagement given the regulatory profile of these roles.

Interim Appointments

Interim senior appointments are common for specific DORA implementation programmes, particularly during the 2023-2025 implementation period and in firms experiencing capability gaps during the build-out phase. Interim DORA leaders typically engage on six to eighteen month mandates, often with subsequent transition to permanent appointment where the fit is strong.

Consulting & Specialist Engagement

For specific DORA workstreams — particularly TLPT programme establishment, Register of Information build-out, contractual remediation across third-party portfolios, or specific RTS implementation — specialist consulting engagements are appropriate. FD Capital can support these via interim or specialist consultant placement.

What to Look for in a DORA Compliance Senior Hire

Substantive DORA implementation track record. Candidates with demonstrable prior DORA implementation experience — ideally including direct engagement with the ESAs’ RTS and ITS, with practical Pillar 4 register development, with TLPT programme establishment, or with the cross-border supervisory architecture — bring pattern recognition that generalist regulatory backgrounds cannot replicate.

Cross-jurisdictional regulatory fluency. For UK firms with EU operations, candidates capable of navigating both UK SS1/21 / SYSC 15A and EU DORA simultaneously are particularly valued. The integration of two parallel regimes requires substantive judgement and the ability to design frameworks that meet both standards efficiently.

Technical depth in ICT risk. DORA’s substantive requirements engage with technical questions — ICT architecture, security controls, cloud platform specifics, incident classification, testing methodologies — that require senior leaders capable of engaging substantively rather than relying entirely on subordinates for technical content.

Supervisory engagement capability. Senior DORA roles involve substantive engagement with EU supervisors. Candidates with prior regulatory engagement experience — whether through previous in-house roles, regulatory secondments, or audit/consulting positions — bring the credibility and judgement that productive supervisor relationships depend on.

Cultural and language fit. EU regulatory engagement often involves multi-lingual communication and cultural awareness across European jurisdictions. Candidates with relevant language skills or cultural background are particularly valuable for firms with material continental European operations.

Programme leadership capability. DORA implementation typically involves multi-year programmes touching technology, operations, procurement, legal, and compliance simultaneously. Senior candidates with substantive programme leadership experience — whether through prior change programme leadership or through previous regulatory implementation programmes — bring the discipline that complex multi-workstream delivery requires.

DORA Compliance Compensation Benchmarks

Current UK market ranges FD Capital is recruiting to in 2026. DORA-related role compensation has tightened materially given the relative scarcity of candidates with substantive prior DORA implementation experience.

Compensation varies materially by firm size, sector (banks, asset managers, insurers, and crypto-asset service providers see different ranges), seniority, and the cross-jurisdictional dimension. Pre-IPO firms and PE-backed platforms typically include LTIP arrangements alongside base compensation.

How FD Capital Recruits DORA Compliance Senior Hires

The process combines standard executive search methodology with the specific benefit of dedicated FCA-regulated firms expertise. Briefing call within 24 hours of enquiry, with Adrian Lawrence personally handling briefings for senior DORA mandates given the technical complexity. Written role specification by day two, covering the firm’s DORA scope, the specific implementation challenges, the existing team structure, and the regulatory engagement context. Discreet search through days two to ten, drawing on FD Capital’s regulated firms network. Shortlist presentation at day seven to ten — typically four to five candidates, each with our written assessment of their DORA implementation depth, regulatory engagement capability, and cultural fit. Interviews over two to three weeks. Appointment typically completing within 35 to 56 days of initial briefing for senior permanent roles.

Frequently Asked Questions

Does DORA actually apply to UK firms?

DORA does not apply directly to the UK as a jurisdiction, but UK firms can become caught within its framework through three routes: EU subsidiaries or branches that are themselves financial entities for DORA purposes; provision of services to EU financial entities (which creates contractual cascading obligations); and designation as a Critical ICT Third-Party Service Provider, which produces direct EU oversight. UK firms with material EU exposure typically face substantive DORA compliance work despite the UK’s EU exit.

How does DORA compliance differ from UK operational resilience compliance?

DORA is more prescriptive on specific requirements (specific contractual provisions, specific incident reporting timelines, specific testing methodologies) where UK SS1/21 / SYSC 15A is more principles-based. The two frameworks share concepts — impact tolerances, third-party risk, testing — but operationalise them differently. Cross-border firms typically build integrated frameworks meeting the higher of the two standards on each requirement.

What is the Critical ICT Third-Party Service Provider regime?

Under Articles 31-44 of DORA, the European Supervisory Authorities can designate ICT third-party service providers as critical based on systemic importance criteria. Designated CTPPs become subject to direct oversight by an appointed Lead Overseer (one of the three ESAs) with rule-making and enforcement powers, including penalties up to 1% of average daily worldwide turnover for non-compliance.

How quickly can FD Capital deliver shortlists for senior DORA hires?

For senior DORA mandates, full shortlist within five to ten working days. Initial introductions to specific named candidates within 48 hours where the requirement is urgent. Adrian personally screens candidates for these placements given the consequences of getting senior risk and compliance hires wrong.

Do you place interim as well as permanent DORA roles?

Yes — interim DORA appointments are common for specific implementation programmes, capability gaps during build-out, and transition cover. Many interim DORA engagements convert to permanent where fit is strong.

Can FD Capital support cross-border DORA recruitment?

Yes — our network includes senior candidates with substantive cross-jurisdictional experience, particularly UK firms with EU operations and EU firms with UK touchpoints. We work with cross-border mandates regularly.

Related Recruitment Services

Firms considering DORA-related senior recruitment may also be interested in: Operational Resilience Recruitment | Chief Risk Officer Recruitment | Chief Compliance Officer Recruitment | Risk and Compliance Recruitment | Regulatory Reporting Recruitment | FCA Regulated Firms Recruitment | DORA Complete Guide | Operational Resilience Guide | Third-Party Risk Management Guide | Hire an FD or CFO

Find a DORA Compliance Senior Hire

FD Capital recruits DORA Compliance Officers, Heads of ICT Risk, Heads of Operational Resilience, Heads of Third-Party Risk, ICT Incident Managers, and TLPT Leads into UK firms with EU operations, EU subsidiaries, or material EU service relationships. Founder-led by Adrian Lawrence FCA. Sector-experienced candidates with substantive prior DORA implementation experience. Shortlists in seven to ten working days.

📞 020 3287 9501
✉ recruitment@fdcapital.co.uk

Start Your DORA Senior Search →