- DORA took effect January 17, setting new ICT risk standards
across the EU, and while UK IFAs may not be mandated to comply, they remain
indirectly exposed
- The FCA and PRA already impose similar operational
resilience rules
- ISO 27001 adoption can help bridge DORA alignment, and voluntary
compliance could prevent reputational and legal fallout
The arrival of the Digital Operational Resilience Act (Dora) on January 17 has ushered in a new era of stringent ICT risk management across Europe’s financial sector.
While the regulation was designed to close long-standing gaps in cyber resilience and third-party risk oversight for banks, insurers, and investment firms, its reach has extended far beyond its original EU borders.
UK-based independent financial advisers (IFAs), many of whom interact with EU clients or service providers, may soon find themselves exposed not by legal obligation, but by rising market expectations and shifting regulatory norms.
Although many UK IFAs aren’t technically bound to comply with Dora, particularly those with lower risk profiles or no direct EU relationships, this regulatory blind spot may prove short-lived.
The Financial Conduct Authority’s policy statement PS21/3 and the Prudential Regulation Authority’s supervisory statement SS1/21 have already introduced similar standards for operational resilience, creating overlap with Dora’s requirements.
For firms regulated domestically, aligning with Dora offers a streamlined route to fulfilling these expectations while preparing for what’s increasingly seen as the direction of travel for global compliance.
At the heart of Dora is a comprehensive framework for managing ICT risk. It mandates consistent procedures for risk identification, incident reporting, resilience testing, and oversight of outsourced technology providers.
Even without a formal mandate, UK IFAs would be wise to begin aligning with these principles. Those already certified under ISO 27001 — or adopting its standards — are well-positioned, as the certification provides a structural foundation that mirrors much of Dora’s intent.
Risk assessments targeting ICT vulnerabilities, supply chain dependencies, and data handling should be among the first steps. These efforts must be paired with clear cyber incident strategies and operational continuity plans. Regular testing, staff education, and simulation exercises such as tabletop drills are no longer optional in a landscape defined by ransomware attacks, phishing campaigns, and rapidly evolving digital threats.
Failure to act may carry a price. Clients and partners are becoming more vigilant about cybersecurity standards, particularly in light of the reputational damage and legal liability that can result from inadequate protections. Regulators are also sharpening their focus, not just through enforcement but through public pressure.
The FCA’s growing emphasis on resilience means that advisers unable to demonstrate preparedness may face closer scrutiny — or worse, diminished client trust and potential legal action under data protection laws such as GDPR.
Critically, third-party risk is now seen as a systemic threat, not just an operational detail. Dora demands that firms perform due diligence on their ICT vendors and ensure that contractual arrangements reflect robust resilience expectations.
For IFAs reliant on external platforms, service providers, or cloud infrastructure, this is an area that cannot be overlooked. Investors and insurance partners are increasingly demanding evidence that these relationships are secure, monitored, and governed by clearly defined accountability.
Voluntary compliance with Dora is not merely a box-ticking exercise. It could prove to be a strategic advantage.
Firms that invest early in aligning with the regulation’s pillars – from cyber preparedness to supplier oversight – will be better equipped to avoid future costs and disruption.
Conversely, waiting until similar obligations become mandatory may lead to rushed compliance, higher spend, and increased operational strain.
In an interconnected market where resilience is now equated with trust, the direction of travel is clear.
Whether or not the mandate arrives tomorrow, the standard has already been set. For UK financial advisers, the choice is no longer whether to prepare – but whether to lead or lag behind.
