DORA is in force. The EU AI Act is live. UK financial services firms deploying AI, cloud infrastructure and third-party technology face governance, contractual and regulatory obligations that most have not fully assessed. Cambitas provides legal and regulatory advisory across the full technology lifecycle — from procurement and contracts through to AI governance, operational resilience and cybersecurity.
IT, TECHNOLOGY & AI ADVISORY
Technology Is the Engine. The Legal Framework Is What Keeps It Running.
Our principals built and ran technology legal functions inside major UK financial institutions — advising on technology procurement, cloud strategy, AI deployment and operational resilience from the inside of the organisations that face these obligations.
No obligation. Confidential from the first conversation.
Why Cambitas
Technology Advisory From People Who Have Operated These Systems From the Inside.
Cambitas principals built and ran legal and compliance functions inside major UK financial institutions and technology companies. They negotiated technology outsourcing agreements, designed cloud governance frameworks, managed cyber incident responses and implemented operational resilience programmes — as insiders under genuine commercial and regulatory pressure.
Technology legal advisory that does not understand how technology actually operates in a regulated business — how cloud infrastructure creates regulatory perimeter questions, how AI deployment triggers UK GDPR and FCA governance obligations simultaneously — produces advice that is technically correct and practically inadequate.
When you instruct Cambitas, you work directly with our principals. No associates. No delegation.
FREE DOWNLOAD
UK Technology & AI Regulatory Readiness Guide 2026
What DORA requires, what the EU AI Act means for UK businesses, what FCA AI governance expectations are and how to build a technology legal framework that addresses all three.
No obligation. No sales call unless you ask for one.
CORE TECHNOLOGY LEGAL SERVICES
Four Areas Where Technology Legal Advice Makes the Biggest Difference
Each card includes what we see going wrong in practice and exactly what we do about it.
1. Technology Procurement & Contracting
Technology contracts written without understanding how the technology operates create gaps that only become visible when the system fails or the relationship breaks down.
What we see in practice
The most consistent gap in technology procurement is the mismatch between what the procurement team negotiated and what the technology contract actually says. Exit assistance obligations that are technically present but operationally worthless, service level definitions that do not reflect what the business actually needs, and liability caps set without reference to the actual loss exposure created by the technology — these are the terms that create crisis when the technology fails. For regulated firms, technology contracts must additionally address DORA requirements, operational resilience obligations and FCA third-party risk management standards.
What we do
We draft and negotiate technology contracts, cloud computing agreements, system implementation contracts and managed services arrangements. For regulated financial services firms, we ensure technology contracts satisfy DORA requirements, FCA operational resilience obligations and third-party risk management standards alongside commercial protection.
2. AI Governance & Legal Compliance
UK financial services firms deploying AI face governance expectations from the FCA that most have not assessed — and EU AI Act obligations that apply to UK businesses with EU operations.
What we see in practice
The FCA has signalled AI governance as a supervision priority from 2025 onwards. Its expectations go beyond the EU AI Act's requirements — covering model risk governance, explainability of AI decisions that affect customers, fairness in automated credit and insurance decisions, and board-level accountability for AI outcomes. Most UK financial services firms have deployed AI tools without conducting a structured assessment of these obligations. The gap between current AI deployment practices and what the FCA and EU AI Act will expect is significant and, for many firms, not yet understood.
What we do
We assess AI systems against applicable governance frameworks — UK GDPR Article 22, EU AI Act risk classification, FCA AI governance expectations and model risk management standards. We design AI governance frameworks, advise on transparency and explainability obligations, build human oversight mechanisms and advise on the board-level accountability structures that regulators expect for AI in regulated financial services.
3. Cybersecurity Legal Advisory & Incident Response
A cybersecurity incident is assessed by regulators on two dimensions: the adequacy of preventative controls and the quality of the response. Both are legal and governance issues, not just technical ones.
What we see in practice
The FCA's approach to cybersecurity incidents has become significantly more assertive. Firms that experience significant cybersecurity incidents are expected to demonstrate that their governance framework included adequate cybersecurity oversight, that they had tested their incident response plan and that their response was proportionate and prompt. The FCA's supervisory focus is not on technical security controls — it is on whether the board and senior management exercised genuine oversight of cybersecurity risk. Most firms have IT security teams but inadequate board-level cybersecurity governance.
What we do
We advise on the legal and governance dimensions of cybersecurity — board-level cybersecurity governance frameworks, cyber incident response plans and their legal dimensions, ICO and FCA notification obligations following cyber incidents, regulatory engagement management and the contractual cybersecurity obligations in technology and outsourcing agreements.
4. DORA & ICT Operational Resilience
DORA is not a future compliance project for EU firms. It came into full force in January 2025 — and its requirements reach UK financial services firms with EU operations or EU technology dependencies.
What we see in practice
The Digital Operational Resilience Act applies to a wide range of financial entities operating in the EU — and reaches UK firms that provide ICT services to EU financial institutions, or that are part of groups with EU regulated entities. The DORA requirements that create most operational complexity for financial services firms are the ICT third-party risk management obligations, the ICT-related incident reporting requirements and the digital operational resilience testing programme — including threat-led penetration testing for significant institutions. Most firms have not yet mapped their full DORA exposure.
What we do
We advise on DORA applicability assessments for UK and cross-border financial services firms, DORA compliance gap analyses, ICT third-party risk management framework design, incident reporting obligations, contractual requirements for ICT service provider agreements under DORA and the intersection of DORA with FCA operational resilience requirements for UK regulated firms.
SPECIALIST TECHNOLOGY ADVISORY
Cloud, FinTech Product Design & Regulated Technology
Two areas where technology legal advice requires deep understanding of both the technology and the regulatory framework simultaneously.
5. Cloud Computing Legal Advisory
Cloud adoption in UK financial services has moved faster than the legal and regulatory frameworks governing it. Most financial services firms have significant cloud exposure that has not been assessed against current FCA and DORA requirements.
What we see in practice
The FCA's operational resilience framework and DORA both impose specific requirements on financial services firms' use of cloud services — particularly concentration risk assessment for critical cloud dependencies, contractual requirements for cloud service provider agreements and exit strategy obligations. Most UK financial services firms have cloud agreements that predate these requirements and have not been updated to satisfy them. The FCA has identified cloud governance as an operational resilience gap in multiple supervisory findings.
What we do
We advise on cloud computing legal and regulatory requirements for UK financial services firms — FCA and DORA cloud governance obligations, review and negotiation of cloud service provider agreements, concentration risk assessment, exit strategy design and the contractual terms required in cloud agreements for regulated financial services use.
6. FinTech Product Design & Regulatory Advisory
Building regulated or regulation-adjacent financial technology requires legal advice that understands both how the technology works and what regulatory framework it sits within.
What we see in practice
The FCA's regulatory perimeter catches fintech products at three predictable moments: product launch, revenue model expansion and UK market entry. Products that process payments, facilitate investment, provide credit, distribute insurance or market financial products each have different regulatory implications — and the boundary between regulated and unregulated activity is not always obvious from a technology perspective. Products built without a regulatory perimeter analysis are exposed from day one, and the FCA does not treat perimeter errors as innocent mistakes when a business has been operating for months without authorisation.
What we do
We advise on regulatory perimeter analysis for fintech product designs, product privacy and data assessments, terms of service and platform regulatory compliance, the FCA regulatory requirements applicable to specific product features, and the governance frameworks that regulated financial technology products require. We also advise on technology governance for crypto and digital asset products.
FURTHER TECHNOLOGY SERVICES
Six More Areas We Cover
Each links to a dedicated advisory page with detailed practical guidance.
7. Algorithmic Trading & Market Conduct Compliance
Algorithmic trading systems create specific regulatory obligations under UK and EU market abuse frameworks — and the FCA's oversight of algorithmic trading governance has become significantly more demanding. We advise on the governance and legal requirements for algorithmic trading systems, pre-trade controls, kill switches, market abuse surveillance obligations and the regulatory expectations for firms operating algorithms in UK and EU markets.
8. Technology Outsourcing for Regulated Firms
Technology outsourcing by FCA-regulated firms triggers specific obligations — FCA operational resilience requirements, DORA ICT third-party risk management standards and UK GDPR data processing obligations must all be addressed in the outsourcing arrangements. We advise on technology outsourcing legal requirements, draft and negotiate outsourcing agreements for regulated firms, and design outsourcing governance frameworks that satisfy FCA and DORA requirements.
9. Digital Identity & eKYC Legal Framework
Digital identity solutions and electronic know-your-customer processes create specific legal and regulatory obligations — UK GDPR automated processing requirements, FCA AML and customer due diligence standards, and the emerging UK digital identity regulatory framework. We advise on the legal and regulatory requirements for digital identity products and eKYC systems deployed in UK regulated financial services.
10. Automated Decision-Making & Consumer Rights
AI and automated decision-making systems that affect consumer outcomes in financial services carry obligations under UK GDPR Article 22, FCA Consumer Duty and emerging AI governance frameworks simultaneously. We advise on the legal requirements for automated decision-making in consumer financial services — including transparency obligations, human oversight requirements, Consumer Duty fair outcomes obligations and the FCA's expectations for firms using AI in customer-facing decisions.
11. Cross-Border Technology Regulatory Compliance
Technology businesses operating across UK and UAE markets face distinct regulatory obligations in each jurisdiction — UK FCA requirements do not satisfy UAE VARA or ADGM technology governance standards, and vice versa. We advise on cross-border technology regulatory compliance for businesses with UK and UAE operations — including the technology governance requirements of FCA, VARA, ADGM and DIFC frameworks and how to design technology legal frameworks that satisfy both.
12. Technology Risk Governance & Board Advisory
UK financial services boards carry personal accountability for technology risk governance under SM&CR — and the FCA's expectations for board-level technology risk oversight have increased significantly. We design board-level technology risk governance frameworks, advise non-executive directors on their technology risk oversight obligations, and provide board advisory support on cybersecurity, AI governance and operational resilience at the governance level.
A Technology Legal Question on Your Desk?
Bring it directly to us. No obligation.
THE THREE REGULATORY DIMENSIONS
Three Frameworks That Now Govern Technology in UK Financial Services
UK financial services firms deploying technology face three overlapping regulatory frameworks simultaneously. Each imposes distinct obligations.
FCA governance expectations
The FCA expects board-level ownership of technology risk, operational resilience frameworks covering critical technology services, and AI governance that demonstrates genuine oversight of AI outcomes.
DORA requirements
Since January 2025, DORA imposes ICT third-party risk management, incident reporting and resilience testing obligations on financial entities with EU operations or EU technology dependencies.
EU AI Act obligations
The EU AI Act applies to UK businesses with EU operations. High-risk AI systems — including many AI applications in financial services — carry specific transparency, accuracy and human oversight obligations from August 2026.
HOW WE APPROACH IT
How Cambitas Approaches Technology Legal & Regulatory Advisory
The sequence Cambitas follows when advising a UK financial services firm on its technology legal and regulatory position.
Map the Technology Footprint First
Before advising on legal requirements, understand what technology the organisation actually uses — cloud services, AI tools, third-party ICT dependencies, algorithmic systems and data processing infrastructure.
Most organisations do not have a current, complete map of their technology dependencies. Building one is the starting point for every technology regulatory assessment.
Assess Regulatory Applicability
Determine which regulatory frameworks apply to which technology — DORA applicability for ICT services, EU AI Act risk classification for AI systems, UK GDPR obligations for automated processing, FCA operational resilience for critical services.
The same technology can trigger multiple regulatory frameworks simultaneously. The assessment must identify all applicable obligations — not just the most obvious ones.
Identify the Contractual Gaps
Assess existing technology contracts against the regulatory and commercial requirements identified — identifying contractual gaps that create regulatory non-compliance or commercial exposure.
Technology contracts signed before DORA came into force, before the FCA's operational resilience framework was updated or before AI governance obligations crystallised will typically have significant gaps.
Design the Governance Framework
Build the governance structures that satisfy regulatory expectations — board-level oversight arrangements, AI governance frameworks, incident response plans and operational resilience testing programmes.
Governance documentation without operational governance is the pattern regulators find and act on. Frameworks must be built to function, not to document.
Remediate Contracts and Documentation
Update existing technology contracts to satisfy DORA, FCA and UK GDPR requirements. Negotiate new contractual terms with ICT service providers where existing agreements are inadequate.
ICT service providers are increasingly familiar with DORA requirements and most can accommodate compliant contractual terms — but they will not volunteer them without negotiation.
Maintain and Monitor
Technology regulatory requirements are evolving rapidly. The governance framework and contractual position must be reviewed regularly as regulatory requirements change and the technology footprint evolves.
A technology regulatory framework that was adequate in 2024 may not satisfy DORA, FCA or EU AI Act requirements in 2026. Ongoing monitoring is not optional.
💡 DORA AND UK FIRMS — THE QUESTION WE ARE ASKED MOST
DORA applies to financial entities regulated in the EU. UK firms are in scope if: they are part of a group with an EU regulated entity, they provide ICT services to EU financial institutions, or they have EU-authorised operations. UK-only firms with no EU connection are outside DORA's scope — but remain subject to FCA operational resilience requirements that have significant overlap.
GO DEEPER
Explore Our Advisory Guides
Each page below goes further — real detail on what we do and what to expect.
DORA & ICT Operational Resilience
What DORA requires, who is in scope, the ICT third-party risk management obligations and how to assess and address your DORA exposure.
AI Governance & Legal Compliance
UK GDPR Article 22, EU AI Act risk classification, FCA AI governance expectations and how to build an AI legal framework that addresses all three.
Cybersecurity Legal Advisory
FCA cybersecurity governance expectations, incident response legal obligations, regulatory notification requirements and board-level cybersecurity oversight.
WHAT COMPLIANCE LOOKS LIKE
Inadequate vs Compliant Technology Governance in UK Financial Services
The FCA and DORA assess technology governance by what firms actually do — not what their documentation says. Here is what the difference looks like across the areas that matter most.
| Area | Inadequate Approach | Compliant Approach |
|---|---|---|
| Cloud governance | Cloud agreements predate FCA operational resilience and DORA requirements. No concentration risk assessment. No exit strategy. Service levels not aligned to impact tolerances. | Cloud agreements updated to include DORA-compliant ICT third-party risk terms. Concentration risk assessed and documented. Exit strategy tested. Service levels aligned to FCA impact tolerances. |
| AI governance | AI tools deployed without DPIA or Article 22 assessment. No AI inventory. No board-level accountability structure. No explainability documentation for customer-facing decisions. | AI system inventory maintained. DPIAs conducted for high-risk AI. Article 22 assessments completed. Board-level AI accountability defined. Explainability documented for customer-facing systems. |
| Cyber incident response | Incident response plan exists as a document. Never tested. No clear regulatory notification obligations documented. No FCA or ICO notification thresholds confirmed. | Incident response plan tested annually. FCA and ICO notification thresholds documented and understood. Notification process rehearsed. Post-incident review process in place. |
| DORA readiness | DORA applicability not assessed. Existing ICT agreements do not include required contractual terms. No ICT-related incident classification framework. No TLPT programme. | DORA applicability assessed. ICT agreements reviewed and updated. Incident classification and reporting framework in place. TLPT programme designed for applicable entities. |
| Algorithmic trading | Algorithm governance framework describes controls that do not operate in practice. No independent pre-trade controls. Kill switch procedures not tested. Surveillance system generates low volumes to avoid findings. | Genuine pre-trade controls operating independently. Kill switch procedures tested. Surveillance programme risk-based and designed to detect problems — not to generate clean outputs. |
| Board oversight | Board receives IT security updates quarterly. Technology risk not included in principal risk framework. No NED with technology governance responsibility defined. | Technology risk in principal risk framework. Board receives risk-based technology reporting. At least one NED with defined technology governance accountability. Annual board technology risk review. |
→ WHICH COLUMN DESCRIBES YOUR FIRM?
If any row in the middle column accurately describes your current position, that is where a conversation with Cambitas starts.
WARNING SIGNS
Three Signs Your Technology Legal Framework Needs Attention
These are the three patterns most consistently found in UK regulated firms facing FCA technology governance concerns.
Cloud contracts predating 2023
Cloud service provider agreements signed before the FCA's operational resilience framework update and DORA are almost certainly missing the contractual terms both frameworks now require.
AI tools in use without governance assessment
If AI tools are being used to influence or make decisions about customers, credit, fraud or employee matters — without a DPIA, an Article 22 assessment or an AI governance framework — that is a regulatory gap that is growing with every month of deployment.
Incident response plan never tested
An incident response plan that has never been tested in a simulation exercise will not function under the pressure of a real incident. Both the FCA and DORA expect evidence of testing, not just documentation.
→ RECOGNISE ANY OF THESE?
These are worth addressing before they surface in a client dispute, a regulatory review or a transaction due diligence process.
WHO WE WORK WITH
The Organisations We Advise on Technology Legal & Regulatory Matters
Technology legal advisory for UK financial services, fintech and technology businesses — at every stage from product design through to ongoing regulatory compliance.
| UK Regulated Financial Services Firms |
|---|
| Investment firms, banks, payment institutions and insurers facing DORA, FCA operational resilience, AI governance and cloud computing regulatory requirements — where technology risk governance is a supervisory priority and contractual gaps in technology agreements create direct regulatory exposure. |
| UK Fintech & Digital Asset Businesses |
|---|
| UK fintech and digital asset businesses deploying AI tools, building regulated technology products and managing cloud-dependent infrastructure — where technology legal and regulatory advisory must keep pace with the speed of product development. |
| UK Technology Businesses Serving Regulated Firms |
|---|
| Technology companies providing ICT services to FCA-regulated financial institutions — where DORA's ICT third-party risk management requirements impose contractual obligations on the technology provider as well as the financial institution buying the service. |
| International Businesses with UK Technology Operations |
|---|
| UAE-based and international technology and financial services businesses with UK operations or UK technology dependencies — where technology governance must satisfy both UK FCA and UAE regulatory requirements simultaneously. |
SITUATIONS WE WORK THROUGH
Questions We Are Asked Every Week
Direct answers to technology legal and regulatory questions UK businesses bring to us most often.
"Does DORA apply to our firm?"
DORA applies to financial entities regulated in the EU and their critical ICT third-party providers. UK firms are in scope if they are part of a group with EU-regulated entities, if they provide ICT services to EU financial institutions, or if they have EU-authorised operations. UK-only firms with no EU connection are outside DORA's direct scope — but remain subject to FCA operational resilience requirements that have significant substantive overlap with DORA. We conduct DORA applicability assessments and advise on the implications for both in-scope and out-of-scope firms.
"We have deployed AI tools across the business — what are our legal obligations?"
UK financial services firms deploying AI face obligations under UK GDPR Article 22 (automated decision-making), the FCA's emerging AI governance expectations and, for firms with EU operations, the EU AI Act. The starting point is an AI system inventory — cataloguing every AI tool in use, what personal data it processes, what decisions it influences and whether any systems fall within the EU AI Act's high-risk classification. Most firms find multiple unassessed compliance obligations at this stage. We conduct AI legal assessments and design AI governance frameworks.
"Our cloud provider agreement predates FCA operational resilience requirements — do we need to update it?"
Almost certainly yes. Cloud agreements signed before the FCA's operational resilience framework was updated in 2022–23, and before DORA came into force in 2025, are likely missing the contractual terms both frameworks require — including exit strategy provisions, service continuity obligations, concentration risk acknowledgement and the specific audit and oversight rights that regulators expect to see in agreements with critical ICT providers. We review cloud agreements and advise on which terms require negotiation.
"We had a cybersecurity incident — what are our regulatory notification obligations?"
For UK financial services firms, a significant cybersecurity incident triggers potential notification obligations to the FCA under its operational resilience and systems and controls rules, to the ICO if personal data has been breached (72-hour notification window), and potentially to affected customers. The FCA's definition of a material cybersecurity incident is broader than most firms appreciate. We advise on regulatory notification obligations in real time following cyber incidents and manage the regulatory engagement throughout the response.
"We are a UAE technology business providing services to UK financial institutions — are we subject to DORA?"
Potentially yes. DORA's ICT third-party risk management requirements can apply to technology service providers to EU financial institutions — and if the UK financial institution you are providing services to is part of a group with EU regulated entities, DORA requirements may apply to your contractual arrangements with them. UK financial institutions subject to FCA operational resilience requirements will also impose contractual obligations on their technology suppliers that reflect those requirements. We advise on DORA and FCA technology supplier obligations for UAE and international technology businesses.
Ready to Talk?
No obligation. No sales pitch. Just a direct conversation.
FREQUENTLY ASKED QUESTIONS
Direct Answers to the Questions We Hear Most
Direct answers to technology legal and regulatory questions.
Q1. What does a technology lawyer do?
A technology lawyer advises on the legal and regulatory dimensions of technology use, procurement and development — drafting and negotiating technology contracts, advising on regulatory obligations applicable to specific technologies, managing technology-related legal risk and advising on the governance frameworks that technology use requires. For UK financial services firms, technology legal advice additionally covers FCA operational resilience requirements, DORA obligations, AI governance and UK GDPR automated processing obligations.
Q2. What does DORA require and does it apply to UK firms?
The Digital Operational Resilience Act (DORA) requires financial entities to manage ICT risks, implement ICT third-party risk management frameworks, report ICT-related incidents and conduct digital operational resilience testing. It applies to EU-regulated financial entities and their critical ICT third-party providers. UK firms are in scope if they are part of groups with EU regulated entities, provide ICT services to EU financial institutions or have EU-authorised operations. UK-only firms remain subject to FCA operational resilience requirements with significant substantive overlap.
Q3. What does the EU AI Act require for financial services firms?
The EU AI Act classifies AI systems by risk level. High-risk AI systems — which include AI used in credit scoring, insurance risk assessment, employment decisions and financial advice — carry specific obligations: risk management frameworks, data governance requirements, technical documentation, transparency to users, human oversight mechanisms and accuracy and robustness standards. General-purpose AI systems have separate transparency and copyright obligations. The high-risk requirements apply from August 2027; general-purpose AI obligations from August 2026.
Q4. What cybersecurity legal obligations apply to UK regulated financial services firms?
UK regulated financial services firms face cybersecurity obligations from multiple sources: FCA systems and controls requirements under SYSC, the FCA’s operational resilience framework requiring firms to identify and protect important business services, UK GDPR security obligations and breach notification requirements, and DORA ICT risk management requirements for firms in scope. The FCA expects board-level oversight of cybersecurity risk, not just technical IT security management. Cyber incidents must be reported to the FCA if they meet the materiality threshold.
Q5. What cloud computing legal requirements apply to UK financial services firms?
FCA-regulated firms using cloud services must satisfy FCA operational resilience requirements for important business services that depend on cloud infrastructure — including impact tolerance testing, exit strategy documentation, concentration risk assessment and contractual requirements with cloud providers. DORA additionally imposes ICT third-party risk management requirements for in-scope firms with EU operations. Cloud agreements must include specific contractual terms to satisfy both frameworks — terms that most standard cloud provider agreements do not include by default.
FREE DOWNLOAD
UK Technology & AI Regulatory Readiness Guide 2026
Still assessing your technology regulatory position? Download our free guide first.
No obligation. No sales call unless you ask for one.
Technology governance problems are cheaper to fix before the regulator investigates.
DORA is in force. The EU AI Act obligations are approaching. The FCA's AI governance expectations are being built into its supervisory framework right now. The firms that address these proactively will be ready. The firms that wait will be remediating under regulatory pressure.
Cambitas provides technology legal and regulatory advisory for UK financial services and technology businesses — covering all 12 service areas above, delivered by principals with decades of in-house technology legal experience.
or
DOWNLOAD FREE GUIDE
Governance Reviews & Remediation Guide
Cambitas
- +62 812 3456 7890
- 123 Corporate Avenue, Jakarta, Indonesia
- contact@lawfirm.com