Dora Guide

What is the Digital Operational Resilience Act (DORA), why does it apply to UK financial firms when the UK is no longer an EU Member State, and what does effective DORA compliance actually look like in practice for the UK firms now within its scope through their EU operations, branches, subsidiaries, or service relationships with EU financial entities?

The Digital Operational Resilience Act — Regulation (EU) 2022/2554, known universally as DORA — entered into application on 17 January 2025 and represents the most comprehensive single piece of operational resilience regulation in the world. DORA harmonises the digital operational resilience requirements across approximately twenty categories of EU financial entities, replacing the patchwork of differing national requirements that had developed under earlier directives. It also establishes, for the first time anywhere, a direct regulatory oversight regime for the critical third-party technology providers — the cloud hyperscalers, the major SaaS platforms, the data centre operators — on which the financial system has come to depend. For UK firms, DORA is not a foreign regulation that can be ignored. UK firms with EU subsidiaries or branches must ensure those entities comply directly with DORA. UK firms providing services to EU financial entities face DORA’s third-party risk requirements through their EU clients’ contractual obligations. UK firms with cross-border operations face complex questions about which framework applies to which activity. And UK firms that are themselves designated critical third-party providers face the prospect of direct EU oversight from one of the European Supervisory Authorities (ESAs).

The UK has chosen its own path on operational resilience — the FCA’s policy statement PS21/3 “Building Operational Resilience” and the PRA’s Supervisory Statement SS1/21 set out a principles-based framework focused on important business services, impact tolerances, mapping of resources, and scenario testing against severe but plausible disruption. The UK framework reached full implementation on 31 March 2025. The Bank of England, FCA and PRA have also been developing a UK Critical Third Party regime that will, in some respects, mirror DORA’s approach to direct oversight of major technology providers. UK firms therefore face the practical challenge of operating within two parallel resilience frameworks — UK SS1/21 / SYSC 15A for their UK regulated activity, and DORA for their EU regulated activity — that share concepts (impact tolerances, third-party risk, testing) but use different terminology, different reporting expectations, and different supervisory cultures.

This guide sets out what DORA is, who it applies to, what it requires, how UK firms become caught within its scope, and what effective compliance looks like in practice. It covers the regulation’s five operational pillars, the governance and oversight architecture, the Critical ICT Third-Party Provider regime that introduces direct EU oversight of the largest technology providers, the relationship between DORA and the UK’s own SS1/21 / SYSC 15A framework, the implementation timeline, the penalties for non-compliance, and the recruitment implications for UK firms building DORA compliance capability. It is written for senior finance leaders, Chief Risk Officers, Chief Compliance Officers, Heads of Operational Resilience, and Heads of Technology Risk in UK firms whose operations bring them within DORA’s scope.

It is written from the perspective of FD Capital’s team — a specialist finance recruitment firm placing senior finance, risk, and compliance leaders into UK FCA-regulated firms since 2018, including substantive engagement with operational resilience and DORA-driven recruitment for cross-border firms.

Call 020 3287 9501 or email recruitment@fdcapital.co.uk to discuss DORA-related senior recruitment, including DORA Compliance Officers, ICT Risk leadership, Heads of Third-Party Risk, and senior operational resilience appointments.

What DORA Is — and Why It Was Created

DORA is the European Union’s response to a structural shift in the way financial services depend on technology. The regulation was developed against the backdrop of a financial system in which the most critical operational resilience risks no longer sit within firms themselves but in the technology supply chain that supports them. A handful of cloud hyperscalers (notably Amazon Web Services, Microsoft Azure and Google Cloud), a small number of major SaaS providers (Salesforce, ServiceNow, Workday, and others), and the wider ecosystem of payment networks, data providers, market infrastructure operators, and security technology vendors collectively support the operations of essentially every financial entity in the European Union. A material disruption at any of these providers could cascade across the financial system in ways that no individual firm can fully prevent through internal resilience measures alone.

The regulation was adopted on 14 December 2022 and published in the Official Journal of the European Union on 27 December 2022. It applies in full from 17 January 2025 — a two-year implementation runway designed to allow financial entities and their technology providers to develop the frameworks, processes, contractual arrangements, and operational capabilities the regulation requires. DORA is a Regulation rather than a Directive — it applies directly in all EU Member States without requiring national transposition, ensuring genuine harmonisation of requirements across the EU.

Five concerns drove DORA’s development. First, the heterogeneity of operational resilience requirements across EU Member States created compliance friction for cross-border firms and uneven protection across the bloc. Second, the increasing concentration of the financial system’s technology dependencies on a small number of providers created systemic risk that no individual firm could mitigate. Third, the absence of any direct regulatory oversight of these critical technology providers meant supervisors had only indirect levers to address concerns about their resilience. Fourth, the inconsistency of incident reporting frameworks across Member States limited regulators’ ability to identify and respond to systemic operational risks in real time. Fifth, the absence of harmonised testing requirements meant that the operational resilience of comparable firms across the EU was being assessed against materially different standards.

DORA addresses all five of these concerns simultaneously. It harmonises ICT risk management requirements across all in-scope financial entities. It introduces a direct EU-level oversight regime for designated Critical ICT Third-Party Service Providers. It establishes a single incident reporting framework with harmonised classifications, thresholds, and timelines. It mandates a common digital operational resilience testing programme, including advanced threat-led penetration testing for systemic firms. And it provides for voluntary information-sharing arrangements that allow financial entities to share threat intelligence without competition or data protection concerns.

Who DORA Applies To — Scope and Application

DORA applies to approximately twenty categories of EU financial entities listed in Article 2 of the Regulation. The scope is deliberately wide and captures essentially every category of EU-regulated financial business. The principal categories include credit institutions (banks), payment institutions, electronic money institutions, account information service providers, investment firms, crypto-asset service providers (CASPs) authorised under the Markets in Crypto-Assets Regulation (MiCA), central securities depositories (CSDs), central counterparties (CCPs), trading venues, trade repositories, alternative investment fund managers (AIFMs), management companies of UCITS funds, data reporting services providers, insurance and reinsurance undertakings, insurance intermediaries, institutions for occupational retirement provision (IORPs), credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, and securitisation repositories.

The Regulation applies a proportionate approach for smaller entities. Microenterprises — defined as financial entities with fewer than 10 employees and annual turnover or balance sheet total below €2 million — are subject to simplified requirements in several areas, particularly around governance arrangements and certain testing requirements. The proportionality principle runs throughout the Regulation, with requirements scaling to the size, nature, complexity and risk profile of each financial entity.

For UK firms, the scope question becomes more nuanced. UK firms are not directly subject to DORA, but they are caught within its framework through three principal routes. First, where a UK firm has an EU subsidiary or EU branch authorised in an EU Member State, that EU entity is itself a financial entity for DORA purposes and must comply directly. Second, where a UK firm provides services to EU financial entities — including ICT services, market data, custody, fund administration, or other operational services — the EU client’s DORA obligations create contractual cascading requirements that bind the UK service provider through commercial agreements. Third, where a UK firm is designated as a Critical ICT Third-Party Service Provider (a designation discussed in detail below), it can become directly subject to oversight by one of the European Supervisory Authorities regardless of its location.

The third-party cascade is particularly important for UK firms whose business models include significant service provision to EU financial entities. Article 30 of DORA sets out detailed contractual provisions that financial entities must include in their contracts with ICT third-party service providers. UK firms providing ICT services to EU clients should expect those clients to require DORA-compliant contractual provisions, including extensive rights of access for supervisors, mandatory cooperation with audits, specific termination rights, defined exit strategies, and detailed reporting obligations. Many UK firms have found that the contractual demands of EU clients have effectively required them to operate to DORA standards across their entire ICT estate, even where parts of that estate are notionally only serving UK customers, because the operational architecture does not always permit clean separation.

The Five Pillars of DORA

DORA’s substantive requirements are organised across five pillars, each addressing a distinct dimension of digital operational resilience.

Pillar 1 — ICT Risk Management Framework (Articles 5-15)

The first and foundational pillar requires every in-scope financial entity to establish and maintain a comprehensive ICT risk management framework. Article 5 sets the governance expectation: the management body of the financial entity bears ultimate responsibility for ICT risk management, must approve and oversee the implementation of the ICT risk management framework, and must allocate appropriate resources and budgets to ICT risk management. This is a substantive governance provision — not merely a tick-box approval — and member firms have generally found that meeting it has required materially uplifting the engagement of executive committees and boards with ICT risk matters.

The framework itself must address the full ICT risk lifecycle: identification, protection and prevention, detection, response and recovery, learning and evolving, and communication. Specific requirements include: a documented ICT business continuity policy and ICT response and recovery plans; arrangements to ensure the security, integrity, confidentiality and availability of data; protection against intrusion and data misuse; backup procedures; and crisis communication arrangements. The framework must be reviewed at least annually and after major changes or significant ICT-related incidents.

The technical implementation of Pillar 1 requirements has been substantial for many firms. The European Supervisory Authorities have published Regulatory Technical Standards (RTS) under Article 15 specifying detailed expectations for the ICT risk management framework, including specific requirements for asset management, encryption, access management, application security, change management, vulnerability management, and physical security. These RTS have driven extensive uplift programmes across in-scope firms, particularly those whose existing ICT risk management practices were less mature.

Pillar 2 — ICT-Related Incident Management, Classification and Reporting (Articles 17-23)

The second pillar establishes a harmonised framework for managing, classifying, and reporting ICT-related incidents. Financial entities must establish an ICT-related incident management process capable of monitoring, handling, reporting on, and learning from incidents. Article 18 requires financial entities to classify ICT-related incidents based on criteria including the number of clients affected, the duration of the incident, the geographical spread, the data losses, the criticality of the services affected, and the economic impact.

Major ICT-related incidents must be reported to the relevant competent authority. The reporting timeline is highly compressed by historical standards: an initial notification within 24 hours of incident classification, an intermediate report within 72 hours, and a final report within one month. The European Supervisory Authorities have published Implementing Technical Standards (ITS) on the harmonised reporting templates and procedures. Financial entities may also voluntarily notify significant cyber threats to competent authorities, even where no incident has materialised.

The compressed timelines have driven substantial uplifts in firms’ incident classification and reporting capabilities. The 24-hour initial notification window means that decision-making about whether an incident is “major” must happen quickly, with limited information, and against detailed regulatory criteria. Many firms have responded by establishing dedicated DORA incident response teams with delegated classification authority, integrated with the firm’s broader Cyber Security Operations Centre or equivalent function.

Pillar 3 — Digital Operational Resilience Testing (Articles 24-27)

The third pillar establishes a tiered testing regime. All in-scope financial entities must establish a comprehensive digital operational resilience testing programme that tests the resilience of their critical ICT systems on at least an annual basis. The testing must include vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, and end-to-end testing.

For larger and more systemic financial entities, DORA introduces an advanced testing regime: Threat-Led Penetration Testing (TLPT). TLPT must be conducted at least every three years on critical ICT systems supporting critical or important functions. The testing must use intelligence about real-world threat actors targeting the financial sector and must be conducted by external testers meeting specific competency and independence requirements. Article 26 sets out detailed requirements for TLPT, and the European Supervisory Authorities have published RTS specifying the methodology in detail. The TLPT framework draws extensively on the existing TIBER-EU framework that several EU central banks had already implemented.

The proportionality principle determines which financial entities are subject to TLPT. The criteria include the entity’s size, the criticality of the services it provides to the financial system, the systemic importance of the entity, and the maturity of the entity’s existing testing arrangements. In practice, the TLPT requirement applies to large credit institutions, significant investment firms, central counterparties, central securities depositories, and other systemic infrastructure providers.

Pillar 4 — ICT Third-Party Risk Management (Articles 28-44)

The fourth pillar is the longest and most operationally demanding. It establishes a comprehensive framework for managing ICT third-party risk throughout the relationship lifecycle: pre-contractual due diligence, contractual provisions, ongoing monitoring, exit strategies, and oversight of critical providers.

Article 28 sets the general principles. Financial entities must manage ICT third-party risk as an integral component of their overall ICT risk management framework. They must maintain a register of information on all contractual arrangements with ICT third-party service providers, distinguishing between arrangements supporting critical or important functions and other arrangements. The register must be reported annually to the competent authority and must capture extensive information about each third-party arrangement.

Article 30 prescribes specific contractual provisions that must be included in arrangements with ICT third-party service providers. These provisions include: clear and complete description of the functions and ICT services provided; the locations where the functions and services will be provided; service level agreements; provisions on the protection of personal data; rights to monitor performance; rights of access and inspection by the financial entity, by the competent authority, and by appointed auditors; cooperation requirements during investigations; termination rights; assistance with operational continuity in the event of contract termination; and exit strategies including transition periods.

The Critical ICT Third-Party Service Provider (CTPP) regime is the most innovative aspect of Pillar 4 — and indeed of DORA as a whole. Articles 31-44 establish a framework under which the European Supervisory Authorities collectively designate ICT third-party service providers as “critical” based on the systemic importance of their services to the financial system, the substitutability of their services, the criticality of the services to the financial entities they serve, and other factors. Once designated, CTPPs become directly subject to oversight by a designated Lead Overseer (one of the three ESAs). The Lead Overseer can conduct on-site inspections, require information, issue recommendations, and ultimately impose periodic penalty payments of up to 1% of the CTPP’s average daily worldwide turnover for non-compliance with binding recommendations.

For UK firms, the CTPP regime has two implications. First, UK firms whose business models position them as critical providers to EU financial entities — major cloud providers with EU customers, key SaaS platforms used widely by EU firms, market infrastructure providers — should consider whether they meet the criteria for CTPP designation and prepare accordingly. Second, UK financial entities consuming services from CTPPs — whether the CTPP is UK-based or elsewhere — benefit from the additional supervisory oversight of those providers, but also face contractual changes and operational adjustments as their CTPPs adapt to DORA’s requirements.

Pillar 5 — Information Sharing Arrangements (Article 45)

The fifth and shortest pillar provides a legal framework for voluntary information sharing among financial entities about cyber threats, vulnerabilities, indicators of compromise, tactics and procedures, and other operational resilience-relevant information. The provision is designed to enable information sharing without competition law concerns and without inadvertently breaching data protection requirements. While voluntary, the information sharing pillar is expected to drive a significant increase in cross-firm collaboration on cyber threat intelligence over time.

The Critical ICT Third-Party Service Provider (CTPP) Regime

The CTPP regime represents the most novel element of DORA and warrants substantive separate treatment. Under Articles 31-44, the European Supervisory Authorities — the EBA, ESMA and EIOPA, working through the Joint Committee — collectively designate ICT third-party service providers as critical based on a set of criteria specified in Article 31 and the supporting RTS.

The criteria include: the systemic importance of the financial entities relying on the provider’s services; the criticality of the services for the financial entities’ operations; the systemic character of the impact that disruption to the provider’s services would have on the EU financial system as a whole; the degree of substitutability of the provider; the number of EU Member States in which the provider’s services are used; the systemic ICT third-party concentration risk; and other factors specified in the RTS. The designation process is iterative: the ESAs publish a list of designated CTPPs that is updated periodically as the financial system evolves.

Once a provider is designated as a CTPP, a Lead Overseer is appointed from among the three ESAs. The Lead Overseer becomes the primary point of supervisory engagement for the CTPP and exercises a range of supervisory powers: requesting information, conducting on-site inspections, requiring the CTPP to take specific measures, and issuing binding recommendations on matters relating to the CTPP’s ICT risk management, security, third-party arrangements, and operational practices. The Lead Overseer cooperates with national supervisors and with the financial entities that are clients of the CTPP.

The penalty regime sits at the apex of the supervisory architecture. Where a CTPP fails to comply with a binding recommendation issued by the Lead Overseer, periodic penalty payments may be imposed at up to 1% of the CTPP’s average daily worldwide turnover from the previous business year. The penalties accumulate daily until compliance is achieved. For the largest cloud and SaaS providers, this penalty mechanism translates into very substantial financial exposure for non-compliance — exposure that has, in practice, ensured strong engagement with Lead Overseer expectations even where individual recommendations may be commercially uncomfortable.

UK Firms and DORA — How and When the Regulation Applies

The relationship between UK firms and DORA is more nuanced than a simple “DORA does not apply to the UK” position would suggest. Three principal scenarios bring UK firms within DORA’s framework, each with distinct implications.

Scenario one: UK firms with EU subsidiaries, EU branches, or EU passport rights from before Brexit. These EU entities are themselves financial entities for DORA purposes and must comply directly with DORA. The UK parent must therefore ensure that its EU operations meet DORA requirements, with all the governance, risk management, testing, third-party risk, and reporting implications that follow. For groups with material EU operations — UK banks with EU bank subsidiaries, UK insurers with EU insurance subsidiaries, UK asset managers with EU AIFMs or UCITS managers, UK fintechs with EU payment institution authorisations — DORA implementation has been a substantial group-wide programme.

Scenario two: UK firms providing services to EU financial entities. The UK firm itself is not a financial entity for DORA purposes, but its EU clients are. Those EU clients, in meeting their own Pillar 4 obligations, must include specified contractual provisions in their arrangements with all ICT third-party providers, including UK-based providers. UK firms providing technology services, custody services, market data, fund administration, or other operationally significant services to EU financial entities should expect their EU clients to require DORA-compliant contractual provisions. In practice, this scenario captures a wide range of UK firms, from major outsourcing providers to relatively small specialist software vendors.

Scenario three: UK firms designated as Critical ICT Third-Party Service Providers. A UK-headquartered ICT provider — a cloud platform, a major SaaS provider, a critical market infrastructure operator — can be designated as a CTPP if it meets the criteria in Article 31 and the supporting RTS, regardless of its location outside the EU. Once designated, the UK CTPP is directly subject to oversight by its appointed Lead Overseer, with all the powers and penalties that follow. Several UK-headquartered providers have been considering whether they meet the CTPP criteria and preparing for potential designation.

For most UK firms, the practical implication is that DORA compliance has become a real operational consideration even though the UK is no longer an EU Member State. The compliance approach typically involves either ensuring that EU operations meet DORA requirements in their own right (scenario one), accepting and operationalising the cascading contractual requirements from EU clients (scenario two), or preparing for direct EU oversight (scenario three).

UK Operational Resilience Framework — SS1/21, SYSC 15A, and the CTP Regime

The UK’s own operational resilience framework runs in parallel to DORA but takes a materially different approach. The framework was developed by the FCA, PRA and Bank of England starting from a 2018 discussion paper and culminated in the policy statements published in March 2021. The PRA’s Supervisory Statement SS1/21 — “Operational resilience: Impact tolerances for important business services” — and the FCA’s Policy Statement PS21/3 — “Building operational resilience” — set out the substantive expectations. The FCA’s expectations are codified in the SYSC 15A chapter of the FCA Handbook.

The UK framework is principles-based and focused on outcomes rather than prescriptive process requirements. It requires in-scope firms to identify their important business services — those services whose disruption would cause material harm to the firm’s customers, market integrity, or financial stability. For each important business service, firms must set impact tolerances — the maximum tolerable level of disruption — and must map the resources (people, processes, technology, third parties, premises, data) that support each important business service. Firms must test their ability to remain within impact tolerances under severe but plausible disruption scenarios. The framework came into application on 31 March 2022 and reached full implementation on 31 March 2025.

Compared to DORA, the UK framework is less prescriptive on specific requirements but more demanding on the substantive judgement required to identify important business services accurately, set impact tolerances appropriately, and design scenario testing that genuinely tests resilience rather than confirming current arrangements. Where DORA prescribes specific testing methodologies (TLPT), specific contractual provisions, specific incident reporting timelines, and specific governance arrangements, the UK framework relies more on firms exercising judgement against principles, with supervisors challenging that judgement through ongoing supervision.

The UK Critical Third Party (CTP) regime, developed by the Bank of England, FCA and PRA, brings the UK closer to DORA in respect of direct oversight of major technology providers. The CTP regime was set out initially in DP3/22 and subsequently in policy statements. Under the CTP regime, HM Treasury can designate a third party as a Critical Third Party where its services to UK financial entities are sufficiently systemic that disruption could threaten financial stability. Once designated, CTPs become subject to direct oversight by the Bank of England, FCA and PRA, with rule-making powers to impose specific resilience requirements. The CTP regime, while not identical to DORA’s CTPP regime, addresses the same concern about concentration risk in the technology supply chain.

For UK firms operating across both jurisdictions, the practical question is how to manage the parallel regimes coherently. The general approach has been to develop a single integrated operational resilience framework that meets the higher of the two standards on each specific requirement, with documented mappings to demonstrate compliance with both regimes. This approach minimises duplication while ensuring nothing falls between the cracks.

Implementation Timeline, Enforcement and Penalties

DORA’s implementation timeline has been compressed by historical standards. The Regulation was adopted on 14 December 2022 and entered into application on 17 January 2025 — a window of just over two years. The European Supervisory Authorities have used this period to develop and publish the extensive RTS and ITS that operationalise the high-level Regulation: detailed standards on the ICT risk management framework, the incident reporting templates, the TLPT methodology, the third-party register of information, the criteria for CTPP designation, and the oversight processes for designated CTPPs. Most of the RTS and ITS have been published, with some publication continuing into 2025.

National competent authorities — the financial supervisors in each EU Member State — are responsible for supervising in-scope financial entities for compliance with DORA. The competent authorities have a range of supervisory powers, including the ability to require information, conduct on-site inspections, issue specific requirements, and impose administrative penalties. Member States have implemented penalty regimes through national legislation, and the maximum penalties available vary across jurisdictions, but include both financial penalties and other administrative measures. Some Member States have implemented criminal sanctions for serious non-compliance, particularly relating to incident reporting failures.

For Critical ICT Third-Party Service Providers, the penalty regime is set directly in the Regulation: periodic penalty payments of up to 1% of the CTPP’s average daily worldwide turnover from the previous business year, accumulating until compliance with the relevant Lead Overseer recommendation is achieved. The very substantial scale of this penalty for the largest providers reflects the EU’s view that direct supervision of CTPPs can only be effective if backed by penalties commensurate with the providers’ commercial scale.

The early months of DORA’s application have seen relatively measured supervisory engagement, with national competent authorities focusing on assessing firms’ implementation rather than aggressive enforcement of breaches. This is consistent with the typical pattern of major new regulatory regimes, where supervisors give firms reasonable time to demonstrate good-faith implementation before moving to enforcement of specific failures. However, supervisors have indicated that this measured approach will not continue indefinitely, and significant non-compliance from firms that have had since 2022 to prepare is likely to be treated severely.

Recruitment Implications — DORA Roles UK Firms Need

DORA has driven substantial recruitment activity across UK firms with EU operations or EU service relationships. Several distinct senior roles have emerged or grown materially in importance.

DORA Compliance Officer or DORA Programme Lead. Firms with significant DORA exposure typically appoint a dedicated senior leader responsible for the firm’s overall DORA compliance. This individual coordinates across the five pillars, manages the relationship with EU supervisors and EU client base, oversees the implementation programme, and reports to the firm’s executive committee and board. The role typically sits within Compliance or Risk, with strong working relationships across Technology, Operations, and Procurement.

Head of ICT Risk or Chief Information Security Officer (CISO). Pillar 1 of DORA requires substantive uplift in ICT risk management capability for many firms. The Head of ICT Risk or CISO role has expanded materially in scope and seniority, often becoming an Executive Committee member. Senior candidates with both technical depth and regulatory engagement experience are particularly sought.

Head of Operational Resilience. The intersection of DORA and the UK framework has created demand for senior leaders who can navigate both regimes coherently. The Head of Operational Resilience role typically owns the integrated framework that meets both UK SS1/21 / SYSC 15A and EU DORA requirements, supported by Operational Resilience Managers and a small team.

Head of Third-Party Risk Management. Pillar 4’s substantive requirements on the third-party register, contractual provisions, ongoing monitoring, and exit strategies have driven the emergence of dedicated Third-Party Risk Management functions. The Head of Third-Party Risk role typically reports to the Chief Risk Officer or Head of Operational Resilience, with responsibility for the firm’s overall third-party risk framework including but not limited to ICT third parties.

ICT Incident Manager / Head of Cyber Operations. Pillar 2’s compressed reporting timelines have driven uplifts in incident management capability, with dedicated senior roles owning the firm’s classification, escalation, and reporting processes. These roles typically sit within Cyber Security Operations Centres or equivalent functions.

Head of TLPT or Operational Resilience Testing. For firms within the TLPT scope, the testing programme requires dedicated senior leadership. Heads of Operational Resilience Testing manage the firm’s overall testing programme including both Pillar 3 testing and the broader UK scenario testing.

For UK firms with material EU operations, the DORA-driven recruitment programme has typically been intensive over the period from 2023 through 2025. The recruitment market for these specialist roles has tightened materially, with experienced DORA implementation leaders commanding premium compensation. FD Capital has placed senior risk, compliance, and operational resilience leaders into UK firms across this period and continues to support clients facing ongoing DORA-driven recruitment requirements.

How FD Capital Works with Firms on DORA-Related Recruitment

FD Capital places senior risk, compliance, and operational resilience leaders into UK FCA-regulated firms, including substantive engagement with DORA-driven recruitment for firms with EU operations or EU service relationships. Our network includes senior professionals with substantive DORA implementation experience across all five pillars, with sector specialism (banks, investment firms, asset managers, payment institutions, e-money institutions, crypto-asset service providers), and with cross-jurisdictional regulatory experience.

Adrian personally screens candidates for senior DORA-related placements given the technical complexity of the regulation and the consequences of getting senior risk and compliance hires wrong. Initial introduction is typically within 48 hours for urgent requirements, with full shortlist within five working days for specific assignments.

Initial consultation is confidential and at no charge. Call 020 3287 9501 for an immediate DORA-related senior recruitment requirement, or email recruitment@fdcapital.co.uk.

Related Reading

• Operational Resilience: A Complete UK Guide — UK SS1/21 and SYSC 15A operational resilience framework
• Operational Resilience Recruitment — senior operational resilience leadership recruitment
• Regulatory Reporting: A Complete UK Guide — UK regulatory reporting framework
• SMCR: The Senior Managers and Certification Regime Explained — UK senior management framework relevant to DORA Compliance Officer appointments
• Section 166 Skilled Person Reviews: A Complete UK Guide — supervisory framework that can be used in DORA contexts
• Recruitment for FCA Regulated Firms — specialist recruitment for FCA-regulated firms

FD Capital Recruitment Services

• Operational Resilience Recruitment — operational resilience and DORA leadership roles
• Chief Risk Officer Recruitment — CRO recruitment including DORA-driven appointments
• Chief Compliance Officer Recruitment — CCO and Compliance Director recruitment
• Risk and Compliance Recruitment — broader risk and compliance professional recruitment
• Regulatory Reporting Recruitment — Head of Regulatory Reporting and adjacent roles
• FCA-Regulated Firms Recruitment — specialist FCA-regulated firms practice

External References

• Regulation (EU) 2022/2554 (DORA) — the official text of the Regulation on EUR-Lex
• European Banking Authority (EBA) — one of the three European Supervisory Authorities responsible for DORA
• European Securities and Markets Authority (ESMA) — supervisory authority for investment firms, CCPs, CSDs and trading venues under DORA
• European Insurance and Occupational Pensions Authority (EIOPA) — supervisory authority for insurance and IORPs under DORA
• PRA SS1/21 — UK supervisory statement on operational resilience
• FCA PS21/3 — Building Operational Resilience policy statement
• ICAEW — professional body for Chartered Accountants
• ICAEW Technology Faculty — professional resources on technology and operational resilience