What use are cybersecurity regulations if no one can prove they’ve been followed?
That question has hovered over regulators for years. And with nearly half of UK businesses experiencing a cyber incident in the past year, clarity and resilience have never been more essential—especially in finance. Cyberattacks are rising fast, and 61% of financial firms in the UK are now actively seeking external help and guidance to keep up.
That’s where DORA, the EU Digital Operational Resilience Act, enters the picture. Though it officially came into effect in January 2025, DORA has already become one of the most talked-about regulations in financial circles. Its goal? To ensure that banks, insurers, and other financial service providers—and their tech vendors—can withstand and recover from serious cyber disruptions.
Relevance
Even though DORA doesn’t legally apply to firms based solely in the UK, the reality is most financial institutions do business with the EU or work with EU-based partners. This makes DORA effectively unavoidable. UK firms may not be required to comply, but they’ll still be held to the same standards by their EU counterparts.
So while DORA is technically an EU law, its ripple effect spreads well beyond EU borders—and UK finance is right in the splash zone.
Mindset
Most organisations agree with DORA’s core objective: make the financial sector more resilient to IT failures and cyberattacks. But that doesn’t mean everyone is ready.
When DORA officially launched in early 2025, 43% of UK banks admitted they were still unprepared. Many are approaching the new rules the same way they approached earlier regulations—by ticking boxes and waiting for audit season.
But DORA isn’t just about passing an audit. It’s about embedding resilience into the heart of financial operations so that disruptions—whether cyber, technical, or operational—don’t spread chaos across the system.
That’s a very different challenge.
Complexity
One of the biggest hurdles isn’t the tech—it’s the interpretation. DORA’s language around IT risk and operational resilience is intentionally flexible, but for many firms that just creates more confusion.
This vagueness leads to what insiders are calling audit anxiety—a growing sense of unease among IT and security teams who know they need to be compliant but aren’t sure what that looks like in practice.
Big institutions can throw resources at the problem. They create specialist compliance teams and engage consultants. But smaller firms? They’re often stuck asking their already stretched teams to juggle day-to-day operations and decode regulatory frameworks at the same time.
That’s where things start to break down. Organisations may already have the right security tools in place—like protective DNS (PDNS)—but without knowing how those tools fit into a compliance framework, they go underused.
DNS
One of the most overlooked areas in all of this is DNS—the Domain Name System. It’s the behind-the-scenes system that connects users to websites and services. When it breaks, everything breaks.
DNS is a Tier 0 service. That means it sits at the base of every IT system. If DNS fails, no online banking works, no transactions go through, no apps load. Yet most organisations still treat it like a background utility, focusing on uptime instead of its potential as a first line of defence.
This is a blind spot. Most IT teams don’t own DNS security. In some cases, no one does. But if DNS infrastructure suffers an outage—whether due to misconfiguration or attack—the damage can ripple quickly across the wider ecosystem. What starts as a technical glitch in one firm can knock out services for thousands of customers and partners.
In the context of DORA, DNS resilience should be non-negotiable.
Layers
DORA isn’t the only regulatory framework on the radar. UK and EU financial institutions are also contending with NIS2, and other data and infrastructure mandates. Each has its own reporting requirements, technical expectations, and language.
Trying to manage each separately only creates duplication, confusion, and cost.
Instead, organisations need to rethink compliance as an integrated strategy. That means aligning internal policies and technologies with frameworks that overlap, so that a single improvement—like securing DNS—helps meet multiple regulations at once.
Solution
One useful path forward is to lean on trusted frameworks that already map to various regulations. The updated NIST SP 800-81, for example, offers best practices for DNS security. Since NIS2 already references it, applying these standards helps organisations strengthen a critical system while simultaneously ticking compliance boxes under multiple rules.
Think of it as “one effort, many outcomes.” It lowers costs, reduces duplication, and embeds resilience directly into Tier 0 services like DNS—exactly what DORA is pushing for.
Long-Term
DORA isn’t just a legal hurdle. It’s a warning—and an opportunity. It tells the financial industry that the digital foundations it relies on need to be stronger, smarter, and more resilient.
So while many firms are focused on audits and reporting, the smarter move is to look deeper. Are your core services protected? Is DNS being treated as the vital infrastructure it really is? Can your systems survive the next major disruption without taking down your partners too?
That’s what DORA is really asking.
And if UK firms want to stay ahead—not just in compliance, but in reputation and customer trust—they’ll need to start answering it.
FAQs
Does DORA apply to UK financial firms?
Not directly, but most UK firms must comply due to EU partnerships.
What is the main goal of DORA?
To ensure financial firms can withstand cyber and IT disruptions.
Why is DNS important for DORA?
DNS is a Tier 0 service; its failure can disrupt all other systems.
What is audit anxiety in DORA compliance?
Firms feel unsure how to implement vague regulatory requirements.
How can firms meet multiple compliance rules?
Use frameworks like NIST SP 800-81 to align with multiple mandates.
