Outages, ransomware storms and the dominance of hyperscaler platforms are no longer mere “IT glitches”, they are board-level resilience risks with legal consequences. In the European Union, the Digital Operational Resilience Act (DORA) became fully applicable to financial entities on 17 January 2025, thrusting operational continuity, incident response timing and third-party oversight into regulatory centre stage. Meanwhile in the UK, a new Cyber Security and Resilience Bill (CSRB) is in the pipeline to extend resilience obligations beyond traditional critical infrastructure, threatening tougher scrutiny across sectors.

Why the urgency? Regulators have long fretted over the systemic dependencies built on a narrow set of ICT suppliers, the proliferation of cyberattacks, and the danger that a cascading failure in one jurisdiction could ripple across borders. DORA answers that by imposing a robust EU-wide regime for financial firms, including oversight of critical ICT third parties (CTPPs) under the supervision of the EU authorities.

DORA’s journey has been long. Though adopted in 2022, its layered Regulatory and Implementing Technical Standards (RTS/ITS) have only recently been finalised, compressing prep time for firms ahead of the January 2025 go-live.

In the UK, the government chose not to simply mirror NIS2 Directive. Instead, the forthcoming Bill aims to modernise the UK’s resilience architecture,  widening scope, strengthening incident reporting and empowering regulators to act. Its April 2025 policy statement fleshes out how the Bill will reform reporting obligations, bring more entities in scope (such as managed service providers) and grant regulators broader powers.

At the same time, for the financial sector, UK regulators have already moved ahead. Under the Bank of England (BoE) / Prudential Regulation Authority (PRA) / Financial Conduct Authority (FCA) regime, a statutory framework to designate Critical Third Parties (CTPs) existsunder Financial Services and Markets Act (FSMA) 2023, giving regulators powers to gather resilience data and enforce against systemic vendor risks even before the full Bill lands.

In short: from Brussels to Westminster, business continuity, fast incident escalation and rigorous third-party scrutiny are being transformed from best practice to binding mandate.

What DORA requires in practice

Under DORA, financial firms must embed operational continuity by design. That means identifying and mapping important business services (such as payment clearing, fund distribution or client data access) and defining impact tolerances (for example, maximum permissible outage duration or data loss). Organisations must maintain not just ICT risk frameworks, but resilient business continuity plans and crisis communications that function in real outages. For example, a Czech bank might test failover to a secondary data centre under load to validate switchover with clients still able to initiate payments.

In the realm of incident response and reporting, DORA introduces a harmonised timetable. Firms must issue an initial notification within 4 hours after classifying an incident as “major,” and no later than 24 hours after first becoming aware. Then an intermediate report must follow within 72 hours, and a final, root-cause/lessons report within one month. Even if not all data is in hand, updates must be filed later.

For advanced testing, in-scope firms must run proportionate testing regimes and periodic Threat-Led Penetration Testing (TLPT). Such tests must include critical third-party dependencies and scenario realism (e.g. simulating a cloud provider drop).

Finally, third-party risk oversight is elevated. Firms must bake in contractual rights (e.g. audit, data access, exit/transition), monitor concentration risk, and prepare for designation of  CTPPs under the European Supervisory Authorities (ESA) oversight regime. Leading hyperscale cloud providers are already surfaced as key candidates.

Together, these practical demands force firms to shift from reactive posture to resilience-by-design under DORA.

What the UK Cyber Security and Resilience Bill Is Set to Do

The UK Government’s proposed CSRB would modernise and expand the current 2018 Security of Network and Information Systems Regulations (NIS framework), by broadening who must comply, sharpening duties, and granting regulators stronger enforcement powers. Under the reform, managed service providers and data-centres supplying clients become explicitly in scope, so a cloud provider serving a local authority, or a facilities management firm offering remote monitoring could be required to meet resilience standards and supply-chain hygiene rules.

Incident reporting will switch to a stricter two-stage model requiring an initial alert to the regulator and National Cyber Security Centre (NCSC) within 24 hours, followed by a full report within 72 hours, even if service continuity is not yet disrupted. For example, if a ransomware attack infiltrates a supplier’s systems and threatens confidentiality or integrity, even before outages, the supplier must report early. Regulators will gain powers to audit, issue fines and require corrective measures, dovetailing with existing regimes for financial services under BoE/PRA/FCA.

Parliamentary introduction is planned in 2025, with Royal Assent and phased enforcement expected from 2026. Businesses should begin aligning now to avoid costly retrofitting later.

Head-to-head: What’s the Same vs. Different (EU vs UK)

In both DORA and the CSRB, businesses must move from passive “checklist” compliance to faster incident reporting, with lifecycle updates to regulators and risk overseers as incidents evolve. In both jurisdictions, third-party and supply-chain resilience elevate from procurement diligence to active regulatory supervision. The EU’s CTPPs enjoy direct oversight by European Supervisory Authorities. In the UK, the financial sector’s existing CTP regime under BoE/PRA/FCA dovetails with the CSRB’s cross-economy expansion. Moreover, both require scenario testing (think threat-led penetration testing, TLPT-style drills) for high-risk entities. This means not just annual fire drills but stress tests that simulate multi-vector attacks.

However, key divergences remain. Scope is one: DORA is narrowly financial-sector and is directly applicable EU regulation; the UK Bill aims wider across digital and infrastructure sectors, leaving financial services partly under current PRA/FCA regimes. For oversight, the EU uses pan-EU oversight of CTPPs via the ESAs and a joint Oversight Forum. The UK, by contrast, will designate certain CTPs domestically in finance and use CSRB powers for cross-sector oversight. In terms of templates and timing, DORA already mandates standard RTS/ITS forms and deadlines. The UK’s detailed obligations will be fleshed out later via secondary legislation and guidance, leaving firms to anticipate potential shifts.

Practical “do this now” checklist (EU and UK)

  1. Set the clocks
    Hard-code timers (4 h after classification, 24 h after detection; 72 h updates; one-month final) into incident response playbooks and automation tools. Dry-run weekend and third-party failure scenarios to test compliance under duress.
  2. Map important business services and define tolerances
    Catalogue key services (e.g. payment gateway, client portal), set RTO/RPO thresholds, and define customer harm metrics. Link thresholds to communication triggers for clients, regulators, markets.
  3. Tier third parties by criticality
    Spot candidates for CTPP / CTP status, map concentration risk and subcontract chains. Pre-bake clauses for testing rights, incident data access and exit/transition conditions in contracts.
  4. Test like it’s real
    Execute TLPT / war-game drills involving cloud, SaaS and MSP suppliers. Capture evidence in formats acceptable to regulators (time stamps, forensic logs, decision trails).
  5. Board fluency and MI (management information)
    Elevate dashboards to track compliance with incident timers, service health vs tolerances, and dependency heatmaps directors can interpret in crisis.

Strategic upside
The real gains here? Faster recovery, reduced customer harm, and stronger negotiation leverage with providers. Firms that bake in DORA-style telemetry, UK CTP readiness and Bill-ready reporting will slash downtime and reputational drag, turning resilience into lower cost of capital and improved insurer terms. Treat 2025–2026 as a once-in-a-decade reset window for resilience in our cloud-first, provider-dense economy.

And what about you…?   

  • How confident are you that your organisation could meet DORA’s or the UK Bill’s rapid incident-reporting deadlines if a serious cyber event occurred this weekend?
  • Does your board receive clear, timely management information on operational resilience, such as service tolerances, dependency maps, or incident timer compliance?