Blog
Compliance
April 5, 2026
Approx 5 min read

DORA Compliance 2026: What UK Financial Services Firms Need to Know

The Digital Operational Resilience Act has been enforceable across the EU since January 2025. For the first year, regulators focused on reviewing frameworks and setting expectations. That transition period is over.

In 2026, DORA enforcement is active. National competent authorities are conducting reviews, cross-checking Register of Information data, and beginning to issue penalties. For UK-based financial services firms with EU clients, EU-regulated subsidiaries, or ICT services that feed into EU financial institutions, this is now an operational concern.

What DORA requires

DORA is an EU regulation, not a directive, meaning it applies directly and uniformly across all member states. It covers banks, insurance companies, investment firms, payment providers, and their ICT third-party service providers.

The regulation is built around five pillars: ICT risk management, incident reporting, digital operational resilience testing, third-party risk management, and information sharing. Unlike point-in-time certification standards, DORA demands continuous operational resilience. Organisations must be able to demonstrate compliance at any given moment.

The most immediate pressure point in 2026 is the second annual submission of the Register of Information. Under Article 28, every in-scope financial entity must maintain a comprehensive register of all contractual arrangements with ICT third-party service providers. National regulators consolidate these registers and submit them to the European Supervisory Authorities by March each year.

Most firms are not ready

Research from Deloitte found that only 50% of institutions expected to reach full DORA compliance by the end of 2025. A further 38% pushed their target into 2026. A separate McKinsey survey of major European financial institutions found that only around a third were confident they could meet all requirements by the original January 2025 deadline.

Nearly half of surveyed organisations identified the Register of Information as the single most challenging requirement, largely because it requires detailed mapping of every ICT contract and dependency across the business.

DORA penalties and enforcement powers

The penalty framework is substantial. Financial entities found in breach face fines of up to 2% of total annual worldwide turnover for the most serious violations. Individual fines for senior management can reach EUR 1 million.

Critical ICT third-party providers face fines of up to EUR 5 million, plus daily recurring penalties of up to 1% of average daily worldwide turnover for continued non-compliance, for up to six months. Regulators also have the power to suspend licences and revoke authorisation entirely under Article 50.

In November 2025, the European Commission introduced the Digital Omnibus proposal, which aims to streamline reporting across DORA, the AI Act, GDPR, and NIS2 by introducing a single incident reporting point. This package is still moving through the legislative process, but it signals that the EU is consolidating rather than softening its regulatory approach.

Why DORA matters to UK firms

DORA does not apply directly to UK-regulated entities. But the indirect exposure is significant.

UK firms providing ICT services to EU financial institutions may fall within DORA's third-party oversight requirements. EU-regulated entities must assess and manage ICT risk across their entire supply chain, which includes UK-based suppliers. If you provide cloud infrastructure, data analytics, payment processing, or compliance tooling to EU financial services clients, expect to be asked about your DORA readiness.

UK financial services firms with EU subsidiaries or passported operations are directly in scope. And even for purely domestic UK firms, DORA is setting a benchmark. The UK's own operational resilience framework already shares significant overlap with DORA's requirements, and the Cyber Security and Resilience Bill currently moving through Parliament signals further alignment.

Practical steps for UK firms preparing for DORA

Map your ICT dependencies. The Register of Information requirement forces organisations to catalogue every third-party ICT relationship. Even if you are not directly in scope, this exercise identifies single points of failure, contract gaps, and unmanaged risk.

Review your incident reporting processes. DORA requires structured, prompt reporting of significant ICT incidents to competent authorities. If your current process relies on ad hoc communication or manual escalation, it will not meet the standard.

Assess your third-party contracts. DORA requires specific contractual provisions covering service levels, exit strategies, audit rights, and security obligations. Many existing contracts will not include these clauses.

Build resilience testing into your operations. DORA goes beyond standard penetration testing. It requires threat-led penetration testing for significant entities, aligned with the TIBER-EU framework (updated in February 2025 to align with DORA's regulatory technical standards). Even for organisations not required to conduct TLPT, regular resilience testing demonstrates operational maturity to clients and regulators.

Compliance automation and DORA readiness

The gap between what DORA demands and what most organisations can deliver manually has created genuine need for compliance automation. DORA requires continuous monitoring, documented evidence, and the ability to prove compliance at any point. Annual audit cycles will not satisfy regulators.

Naq's platform supports multiple compliance frameworks from a single dashboard, including ISO 27001, GDPR, and Cyber Essentials. For organisations managing overlapping regulatory obligations across UK and EU jurisdictions, the ability to map evidence and controls across frameworks removes duplication and keeps compliance current rather than retrospective.

Naq does not currently offer a standalone DORA compliance module, but much of the underlying work (ISO 27001 ISMS, risk management, incident response documentation, third-party risk registers) directly supports DORA readiness. As financial services frameworks expand on the platform, coverage will grow.

If your organisation is managing DORA alongside existing UK compliance requirements, book a demo to see how Naq can help consolidate the workload.

Written by
The Naq Team
Share
Share
Compliance
Cyber Essentials
NHS DSPT
The Role of Cyber Essentials in Achieving NHS DSPT Compliance
February 25, 2024
Compliance
NHS DSPT
How to Embed Continuous DSPT Compliance and Avoid a Last-Minute Scramble
February 23, 2026
Compliance
NHS DTAC
A Guide to the NHS Digital Technology Assessment Criteria (DTAC)
February 25, 2024
Compliance
NHS DSPT
NHS DTAC
The Commercial Role of DSPT and DTAC in NHS Sales
February 16, 2026
Newsletter

The latest in compliance and cybersecurity direct to your inbox

Sign up now
Connect with us

Streamline compliance & accelerate your growth

Book a 15-minute demo and discover how Naq can take the complexity out of your compliance.
Book a demo
arrow_forward
Product
Platform OverviewAutomated ComplianceRisk ManagementClinical Risk ManagementTrainingMulti-framework ManagementComprehensive SupportFrameworks
Solutions
BuildGrowScaleHealthDefenceFinanceBusiness to EnterpriseBusiness to Government
Resources
All ResourcesBlogCase StudiesGuidesNaq in the News
Company
ContactAboutVacanciesPartnershipsMedia
Taking complexity out of compliance.
Connect with us
© Copyright 2024 - Naq Cyber UK Ltd.   © Copyright 2024 - Naq Cyber B.V.
Responsible Disclosure
Cookie Policy
Terms of Service
Privacy Policy