This short paper seeks to outline what DORA is and its possible implications for the UK Financial Services sector. The paper also outlines the difference between Operational resilience and Digital operational resilience and how the prescriptive framework utilised within DORA can be used to the benefit of all businesses.

What is DORA?

The Digital Operational Resilience Act (DORA) is a regulatory framework aimed at ensuring that financial institutions in the European Union (EU) can withstand, manage, and recover from ICT related disruptions, including cyber threats. The Digital Resilience Act (Regulation (EU) 2022/2554) focuses on enhancing the digital resilience of the financial sector and introduces several new requirements for managing operational risks. Here are the key components of DORA:

1. ICT Risk Management

Financial services entities are required to establish a robust framework for managing ICT-related risks. This includes:

• Governance: Clear accountability structures, with senior management responsible for ICT risk management.
• Identification and Protection: Policies and processes to identify ICT risks, protect against potential incidents, and ensure the integrity and security of systems.
• Detection and Response: Systems for detecting potential disruptions and procedures to respond to incidents.
• Recovery and Learning: Protocols for recovery after an ICT incident and continuous learning to improve systems.

2. ICT Incident Reporting

DORA establishes a standardised and mandatory process for reporting significant ICT-related incidents to regulators. Key aspects include:

• Thresholds: Financial entities must report incidents that meet certain severity thresholds, such as those involving large-scale disruptions or cyberattacks.
• Timeline: Incident reporting must be done within specific timeframes to ensure swift regulatory oversight and response.
• Standardisation: Harmonisation of incident reporting across the EU to facilitate consistent supervision and monitoring.

3. Digital Resilience Testing

Financial institutions must conduct regular testing of their ICT systems and controls to ensure resilience. This includes:

• Scenario Testing: Firms must simulate various operational disruptions (e.g., cyberattacks) to test their preparedness.
• Advanced Penetration Testing: For larger institutions, threat-led penetration testing (TLPT) is required, where ethical hackers simulate real-world cyberattacks to uncover vulnerabilities.
• Frequency: Testing must occur periodically, with higher-risk institutions needing more frequent assessments.

4. Third-Party Risk Management (ICT Third-Party Providers)

DORA places significant emphasis on managing risks posed by third-party ICT service providers (such as cloud providers and data processing firms):

• Risk Assessment: Financial firms must assess the risks posed by their ICT service providers and maintain oversight.
• Contractual Obligations: Contracts with third-party providers must include provisions that ensure the continuity of services in case of disruption.
• Critical Providers Oversight: Stricter oversight for critical ICT third-party providers. These providers may be directly supervised by regulators to ensure they meet operational resilience standards.

5. Information Sharing

DORA encourages and facilitates information sharing on cyber threats and vulnerabilities within the financial services ecosystem. This is intended to improve collective resilience by:

• Sharing best practices, insights, and threat intelligence among financial entities and regulatory bodies.
• Supporting collaborative efforts to respond to emerging threats and vulnerabilities.

6. Governance and Accountability

DORA mandates that financial entities have a clear governance structure for managing ICT risks:

• Senior Management Oversight: Senior leaders must be actively involved in ICT risk management and decision-making.
• Risk Culture: Firms must foster a culture of awareness and proactive management of operational risks throughout the organisation.
• Accountability: Clear lines of accountability must be established for managing and mitigating ICT risks.

7. Oversight by Regulatory Authorities

DORA enhances the role of regulatory authorities in overseeing digital operational resilience across the EU:

• Monitoring and Enforcement: National regulators and EU-level bodies are empowered to monitor compliance with DORA and enforce penalties for non-compliance.
• Cross-border Cooperation: The act strengthens cooperation between national regulators to oversee cross-border financial entities, ensuring consistency in supervision across the EU.

8. ICT Concentration Risk

DORA addresses the systemic risks posed by the concentration of services provided by a small number of key ICT providers (e.g., cloud service providers):

• Regulatory Scrutiny: Critical ICT providers that serve multiple financial institutions are subject to enhanced regulatory scrutiny, and financial firms must avoid over-reliance on a single provider to reduce concentration risk.
• Resilience of Critical Providers: Critical ICT providers may also be subject to additional stress testing and resilience assessments to ensure they can continue providing services in the event of a disruption.

9. Regulatory Harmonisation

One of the main goals of DORA is to create a harmonised framework across the EU:

• It standardises rules for ICT risk management, reporting, and testing across all EU member states.
• This harmonisation ensures consistency in the way financial institutions manage their digital resilience, regardless of where they operate in the EU.

In summary, DORA is a comprehensive regulatory framework designed to enhance the digital operational resilience of the financial sector. Its key components focus on ICT risk management, incident reporting, resilience testing, third-party risk management, and regulatory oversight, aiming to ensure that financial entities are prepared for and able to withstand a range of ICT disruptions.

When does DORA come into force?

DORA was officially adopted by the EU in November 2022, with its provisions expected to apply from January 17, 2025. Financial entities, within the scope of DORA, must comply with its operational requirements by this deadline.

Scope of DORA for UK Regulated Financial Services Companies and Associated 3rd Parties.

While DORA directly applies to financial institutions operating within the European Union, its scope has potential implications for UK-based financial services firms and their third-party providers:

• UK Financial Services Companies: Although the UK is no longer bound by EU regulations post-Brexit, UK firms providing services to EU clients or operating in the EU market may need to comply with DORA requirements.
• Third-Party Providers: Any third-party ICT service provider—whether within the UK or outside—offering critical services to EU financial institutions would be subject to DORA’s oversight requirements. This includes cloud providers, data processing firms, and outsourced IT services.

For UK firms not directly impacted by EU operations, DORA may still serve as an important benchmark for best practices in ICT risk management and operational resilience.

Is there a UK Equivalent to DORA?

The UK does not have an exact equivalent to DORA. However, the UK financial regulators, including the Prudential Regulation Authority (PRA), Financial Conduct Authority (FCA), and the Bank of England (BoE), have established frameworks that serve similar purposes:

• Operational Continuity (BoE, PRA, FCA): Introduced in 2021, this framework requires UK financial services firms to ensure the continuity of important business services, set impact tolerances, and regularly test their resilience to disruptions, including ICT-related risks.
• Senior Managers and Certification Regime (SM&CR): This regime emphasises individual accountability for operational resilience within UK firms, particularly in managing ICT risks.
• Cyber Resilience Guidance (FCA, PRA): UK regulators have long emphasised cyber resilience and third-party risk management, mirroring many of DORA’s objectives.

Key differences between DORA and UK Digital Operational Resilience regulations and legislation

While there is substantial overlap between DORA and UK operational resilience regulations, several key differences exist:

• Scope of Application:
  • DORA: Covers a broad spectrum of financial entities across the EU, with specific obligations on ICT risk management, cyber resilience, and third-party providers.
  • UK Regulations: The UK’s operational resilience framework applies more broadly across financial services but leaves flexibility in how firms implement and test resilience measures.

• Third-Party Oversight:
  • DORA: Specifically mandates oversight of third-party ICT providers, including critical service providers such as cloud computing vendors, with strong regulatory controls.
  • UK Regulations: The UK’s guidelines address third-party risk but do not impose the same level of formal oversight as DORA does on ICT providers.

• Harmonisation and Standardisation:
  • DORA: Standardises resilience requirements across all EU financial institutions.
  • UK Regulations: Offer more principle-based guidance, providing firms with discretion to choose how to meet operational resilience objectives.

 Are the requirements of DORA new?

DORA represents a combination of both new requirements and reinforcement of existing best practices:

• New Requirements: DORA introduces new, more detailed requirements for ICT risk management, such as mandatory threat-led penetration testing, heightened oversight of third-party ICT service providers, and standardised incident reporting across the EU.
• Reinforcing Best Practices: DORA also builds on established principles of cyber resilience, risk management, and operational continuity, bringing together existing regulatory requirements under a more harmonised and consistent EU-wide framework.

What actions should UK companies take in anticipation of DORA?

UK companies, particularly those with exposure to the EU, should take proactive steps to align with DORA and consider adopting DORA-like practices even if not directly subject to the regulation. Key actions include:

• Assess their EU Exposure: Determine whether the company or its third-party providers are subject to DORA and assess the risk of non-compliance.
• Strengthen ICT Risk Management: Review and update ICT risk management frameworks to ensure they meet best practices in identifying, managing, and mitigating ICT risks.
• Enhance Incident Reporting: Develop clear and standardised processes for reporting ICT incidents to ensure preparedness in the event of regulatory changes or cross-border disruptions.
• Review Third-Party Risk Management: Ensure that contracts and oversight for third-party ICT service providers meet high resilience standards, especially if providing critical services to EU firms.
• Adopt Resilience Testing: Implement regular penetration testing and scenario-based testing to ensure preparedness for cyberattacks or system failures.

Benefits of adopting DORA-aligned practices

Although UK firms are already subject to robust operational resilience requirements, adopting DORA-like practices could provide additional benefits:

• Global Alignment: For UK firms with cross-border operations, adopting DORA-aligned practices would ensure regulatory alignment with the EU and bolster their resilience to digital risks, especially when interacting with EU clients and markets.
• Enhanced ICT Risk Management: The more detailed oversight of third-party providers and ICT risk management offered by DORA could further improve resilience beyond current UK requirements, particularly in cyber security and incident reporting.
• Competitiveness: Adopting DORA-like practices may give UK firms a competitive edge by demonstrating their commitment to international standards of digital operational resilience, which could be attractive to global clients.

Emerging Digital Operational Resilience challenges

As the financial services, and all industry sectors become increasingly digitalised, the future holds several emerging challenges in operational resilience:

• Increased Cyber Security Threats: Cyber threats continue to evolve, with more sophisticated attacks targeting financial institutions. Strengthened ICT risk management frameworks will be essential to combat emerging threats such as ransomware and nation-state cyberattacks.
• Complex Supply Chains: The increased reliance on third-party providers, particularly cloud services and fintech partners, will necessitate even greater regulatory oversight and due diligence in third-party risk management.
• Technology Innovation and Risks: As firms adopt new technologies like artificial intelligence, blockchain, and quantum computing, new operational risks will emerge that need to be integrated into resilience strategies.

Summary

DORA is a significant evolution and comprehensive EU regulation aimed at strengthening the digital operational resilience of the financial sector. While it applies directly to EU-regulated entities, UK financial services firms, particularly those with cross-border operations, need to prepare for its impact. DORA sets a new bar for managing ICT risks, emphasising incident reporting, third-party risk management, and resilience testing.

For UK firms, adopting DORA-like practices, even if not required by law, can enhance digital resilience, and align with international standards. UK regulatory frameworks, such as the Operational Resilience Policy and OCIR, address different aspects of operational and financial resilience, but do not provide the same level of prescriptive guidance on ICT risks and third-party oversight as DORA.

As digital threats evolve and regulatory expectations increase, firms will need to continue investing in digital resilience strategies to ensure they can respond to the next generation of operational risks.

Services

Specialist Skills Hub provides several key services to support organisations with improving operational resilience and compliance with laws and regulations both in the UK, Europe and internationally.

Our experienced consultants can support with understanding where your organisation is currently, understanding the key risks and supporting / leading the development and delivery of a suitable action plan.

Specialist Skills Hub and our strategic partners provide CREST accredited security testing services.

If you would like to discuss your requirements and how we can support, please contact the team at:

hello@specialistskills.co.uk