Back to Resources

DORA in Practice: What Operational Resilience Compliance Actually Costs

Raymond Shuai March 2026 7 min read Sources: EU Regulation 2022/2554 (DORA) · EBA DORA Guidelines · FCA Operational Resilience Rules

FCA & Regulatory

Share
Executive summary: DORA (Digital Operational Resilience Act, EU Regulation 2022/2554) applied from January 2025 for EU financial entities and their critical ICT third-party providers. Fourteen months in, firms have a clearer picture of what compliance actually costs in practice. For a mid-size fintech of approximately 100 staff with EU operations, the total annual cost of DORA compliance runs to £350,000 to £700,000 once people, technology, testing, and third-party audit are fully counted. This article builds that cost model and compares it with the UK FCA's parallel operational resilience requirements.

Who DORA Applies To

DORA applies to "financial entities" as defined in the regulation, which is an extensive list that includes credit institutions, payment institutions, e-money institutions, investment firms, crypto-asset service providers (once MiCA applies), and insurance companies operating in the EU. It also applies to ICT third-party service providers that are designated as "critical" (CTPPs) by the European Supervisory Authorities.

For UK firms, the question of whether DORA applies is primarily a question of whether the firm has an EU-regulated entity or provides ICT services to EU financial entities. A UK fintech with an Irish or Dutch subsidiary that is regulated under MiCA or EMD2 is a DORA-in-scope financial entity via that subsidiary. A UK technology company that provides core banking software, cloud infrastructure, or payment processing services to EU banks is potentially a CTPP subject to DORA's third-party risk management requirements.

The CTPP designation is significant because it means that even a firm without a direct EU regulatory footprint may have DORA obligations imposed on it by its EU financial entity clients. By early 2026, the ESAs had completed the first round of CTPP designations, identifying the largest and most systemically important ICT providers serving EU financial markets. If you are a SaaS provider to EU financial institutions and have not assessed your CTPP status, this is overdue.

The Five DORA Pillars

DORA is structured around five interconnected requirements. Understanding the scope of each pillar is necessary before you can build a cost model, because the cost drivers are different across them.

  • ICT risk management: A comprehensive ICT risk management framework, including governance structure, risk identification methodology, protection and prevention measures, detection capabilities, response and recovery procedures, and a post-incident review process. The framework must be documented, reviewed annually, and approved by the management body.
  • ICT-related incident reporting: A mandatory reporting regime for "major ICT-related incidents" to the relevant competent authority, with prescribed timelines: an initial notification within four hours of classification, a detailed intermediate report within 72 hours, and a final report within one month. Classification criteria are detailed in EBA guidelines and require firms to assess impact against multiple criteria including transaction volume, client numbers, and geographical spread.
  • Digital operational resilience testing: Annual basic testing for all in-scope financial entities, plus threat-led penetration testing (TLPT) every three years for the largest and most systemically important entities. Basic testing includes vulnerability assessments, network security testing, gap analysis, and scenario-based testing. TLPT is significantly more intensive and expensive, involving external "Red Team" exercises simulating real threat actors.
  • ICT third-party risk management: A comprehensive framework for managing dependencies on ICT third-party providers, including a register of all ICT providers, risk assessments for each, and contractual requirements (prescribed minimum contract provisions under DORA) including sub-contracting visibility, audit rights, exit provisions, and data portability requirements.
  • Information and intelligence sharing: A voluntary framework for sharing cyber threat information and intelligence between financial entities. In practice, this pillar has the least direct cost impact for most firms in the first year of implementation.
DORA application date
Jan 2025Full requirements applied to all in-scope entities
Major incident notification
4 hoursInitial notification to competent authority after classification
TLPT frequency
3 yearsThreat-led penetration testing for significant entities
Basic resilience testing
Annual; includes vulnerability assessments, network testing, and scenario exercises

The Cost Model: A Mid-Size Fintech (~100 Staff)

Building a realistic DORA compliance cost model requires separating the one-time implementation costs from the ongoing annual costs. Most firms have now completed the implementation phase; the question for CFO planning purposes is the steady-state annual cost.

Cost Category
Description
Annual Cost
People: dedicated headcount
DORA compliance function: typically 0.5–1.0 FTE at senior level (CISO or senior risk manager level) plus administrative support for ICT register maintenance and reporting
£80k–£150k
Technology: monitoring and logging
SIEM (Security Information and Event Management) upgrade or implementation to meet detection requirements; incident classification tooling; ICT register management software
£40k–£80k
Annual testing programme
Vulnerability assessments (quarterly); penetration tests (annual); network security reviews; scenario-based exercises facilitated by external specialist; gap analysis
£60k–£120k
Third-party risk management
ICT register maintenance; vendor due diligence programme; contract renegotiation for DORA-mandated provisions; ongoing monitoring of critical vendors
£50k–£100k
External audit and assurance
Annual assurance review of ICT risk framework and incident reporting processes; regulator-facing documentation preparation; external expert review of DORA policy suite
£30k–£60k
Training and awareness
DORA-specific training for management body and key staff; incident classification simulation exercises; awareness programme for all staff
£15k–£30k
Total annual steady-state
Mid-size fintech (~100 staff) with EU regulated entity, operating moderate IT complexity (cloud-based, third-party dependent)
£275k–£540k

The TLPT requirement adds a significant one-off cost approximately every three years. A full threat-led penetration test engagement, using qualified Red Team providers who are approved under the TIBER-EU framework, typically costs £150,000 to £300,000 for a mid-size institution. Amortised over three years, this adds £50,000 to £100,000 per annum to the steady-state cost, bringing the total range to approximately £325,000 to £640,000 per annum.

"The most frequently underestimated DORA cost is not the testing programme or the technology. It is the third-party risk management function: the ongoing cost of maintaining a complete, accurate register of ICT providers, assessing each one, and renegotiating contracts to include the prescribed DORA provisions. For a firm with 50+ ICT vendors, this is a substantial ongoing programme."

Comparison with UK FCA Operational Resilience Rules

The FCA's operational resilience rules, which came into full effect in March 2022 (following the PS21/3 policy statement), share many of DORA's objectives but differ in structure and detail. Understanding the overlap and the differences is important for UK firms that must comply with both frameworks simultaneously.

The FCA's framework focuses on important business services (IBS): firms must identify their IBS, map the people, processes, technology, and data that underpin them, set impact tolerances for each IBS, and demonstrate by March 2025 that they can stay within those tolerances when disruptions occur. The FCA's approach is outcome-focused and principles-based; DORA is more prescriptive in its requirements for specific controls, testing methodologies, and third-party contract provisions.

In practice, there is substantial overlap between the two frameworks in the area of ICT risk management, incident management, and third-party risk. A firm that has fully implemented the FCA's operational resilience framework will have covered a significant proportion of DORA's requirements. The gaps tend to be in the specific testing requirements (the FCA does not mandate annual penetration tests at the same level of prescription as DORA), the incident reporting timelines (the FCA's SYSC requirements specify different timelines), and the contractual requirements for ICT vendors.

UK-only firms are not exempt from DORA's indirect effects. If you are a UK technology provider to EU financial institutions and are not a CTPP, your EU clients will nonetheless require contractual DORA compliance as part of their own third-party risk management obligations. Expect to receive addenda to your service agreements requiring DORA-compliant provisions on sub-contracting, audit rights, exit planning, and data portability, even if your firm has no direct DORA obligation.

Implementation Gaps Still Being Addressed

Fourteen months into DORA, the areas where firms are still working to close compliance gaps fall into three categories.

The most common gap is the ICT third-party register. DORA requires a comprehensive register of all ICT service providers, including sub-contractors of critical vendors. Many firms discovered in 2025 that they had significantly more ICT dependencies than they had previously mapped, particularly in the area of cloud infrastructure sub-processors and software supply chain components. Building and maintaining this register requires ongoing effort and tooling investment.

The second common gap is the incident classification process. The DORA incident classification criteria are detailed and require firms to assess multiple dimensions of impact simultaneously (client numbers, transaction volume, reputational impact, geographical spread) against quantitative thresholds published in EBA guidelines. Many firms in 2025 found that their existing incident management processes were designed to assess impact for internal purposes, not for regulatory reporting, and had to be redesigned.

The third gap is the management body engagement requirement. DORA explicitly requires the management body to be actively involved in ICT risk governance, approving the ICT risk management framework, overseeing the testing programme, and being briefed on significant incidents. For firms where operational resilience was previously treated as an IT function rather than a board-level matter, bringing the management body up to the required level of engagement has required investment in training, reporting, and governance structure.

CFO Actions: Building DORA into Your Cost Base

The CFO's role in DORA compliance is primarily financial and governance: ensuring the cost model is realistic, the budget is in the correct place in the P&L (operational resilience is typically a technology and compliance cost, not a separately disclosed item), and the board has appropriate visibility of the programme cost and status.

  • Budget for steady-state: Use the cost model above as a benchmark for your own firm. If your current budget for DORA compliance is materially below the range for your size, it is likely that you are either incomplete in your implementation or that costs are being absorbed in other budget lines without visibility.
  • Provision for TLPT: If your firm is subject to the threat-led penetration testing requirement (applicable to significant entities above certain size thresholds), provision for this cost three years in advance. The cost of a full TLPT engagement is not trivial, and it is not reducible through negotiation with the approved provider list.
  • Review ICT vendor contracts: The DORA-mandated contract provisions (audit rights, exit provisions, data portability, sub-contracting visibility) may require renegotiation with vendors who were not contractually compliant before DORA applied. This is a legal and procurement cost that should be budgeted, not deferred.
  • Align with audit: Ensure your external auditor is aware of your DORA obligations and that their engagement scope includes review of the key financial controls that are part of your ICT risk management framework. Internal audit should include a DORA pillar review in the annual programme.

Key Takeaways

  • DORA applies to all EU-regulated financial entities and potentially to UK firms that are designated as critical ICT third-party providers (CTPPs). UK SaaS providers to EU banks should assess their CTPP status and review their client contracts for DORA addenda requests.
  • The steady-state annual cost of DORA compliance for a mid-size fintech (~100 staff) with an EU regulated entity is approximately £325,000 to £640,000 per annum, inclusive of TLPT amortisation.
  • The third-party risk management function is the most commonly underestimated cost driver. Maintain a comprehensive ICT register and budget for ongoing vendor assessment and contract renegotiation.
  • The FCA's operational resilience framework covers significant ground in common with DORA. Firms that have fully implemented the FCA framework can leverage that work, but the specific DORA requirements on testing prescription, incident timelines, and contract provisions require additional implementation effort.
  • DORA incident reporting has a 4-hour initial notification requirement. If your incident classification process was not designed with this timeline in mind, it needs to be redesigned before you face a significant incident, not after.
  • Budget for TLPT costs as a three-year recurring item. At £150,000 to £300,000 per engagement, it is material enough to require advance planning and board awareness.

Work Together

Need this applied to
your business?

DORA cost modelling, budget planning, and CFO-level governance support for operational resilience programmes. We work with fintechs navigating both DORA and FCA requirements simultaneously.

Book a Free Discovery Call →