COMPLIANCE
Compliance

DORA is in force: what it means for your firm's IT

Coyven · 18 February 2026 · 6 min read

The EU’s Digital Operational Resilience Act — DORA — has been in force since January 2025. For UK firms the instinct is to file it under “EU problem,” but that’s a mistake if you operate in the EU, serve EU clients, or sit in the supply chain of a firm that does. The obligations flow down.

DORA is long, but the technology implications come down to a handful of things you either have in place or you don’t.

ICT risk management

DORA expects a documented framework for managing ICT risk — not a binder that exists for audits, but live controls, monitoring, and governance. In practice that means knowing your estate, controlling access, patching on a schedule, and being able to show the framework is actually operating.

Incident reporting, against the clock

ICT-related incidents have to be classified and, above a threshold, reported within defined timelines. The firms that struggle here aren’t the ones without security — they’re the ones who can’t assemble the facts fast enough when something happens. The fix is to set up classification and logging before the incident, so reporting is a process rather than a panic.

Third-party oversight

DORA cares a great deal about your ICT suppliers, because your resilience depends on theirs. You need a register of your ICT third parties, an understanding of concentration risk, and evidence of oversight. A register that’s rebuilt from memory the week before an audit is not oversight.

Resilience testing

You have to test your operational resilience and recovery, and keep the results. “We’re sure the backups work” is not a test. A documented restore is.

What to actually do

If DORA applies to you, start with the unglamorous foundation: an accurate picture of your estate and suppliers, controls that genuinely operate, and evidence captured as you go rather than reconstructed later. Most of DORA is good IT management, written down and provable.

That last clause — written down and provable — is the whole game. It’s also exactly how we run the estates in our care.

Next step

Want technology you can stop thinking about?

A 30-minute call, no obligation. We’ll tell you plainly whether we can help.

Book a call

← All insights

Technology that simply works.
Let’s talk.

A 30-minute call, no obligation. We’ll listen to where you are and tell you plainly whether we can help.

Book a call See services