As financial institutions have become dependent on Information and Communication Technology (ICT) for daily operations, ensuring robust operational resilience has become a new area of regulatory focus. Some high-profile ICT outages have exposed vulnerabilities which affected the financial sector thus in turn threatening stability. For instance, in June 2023, many will remember the outage that affected Microsoft 365 services, including Teams and Outlook, disrupting thousands of users across Europe[1]. This disruption, linked to cyberattacks, highlighted the fragility of ICT infrastructure and reinforced the view that it needed stronger regulatory oversight.
These outages, whilst relevant to large organisations now mean that every company however large is once again obligated to comply with new rules. To address these challenges, the EU has introduced DOA—the Digital Operational Resilience Act—which will take effect in January 2025. DORA is designed to strengthen the resilience of financial firms’ operations across the EU, including firms operating in the UK.
As DORA’s implementation draws near, firms must be prepared to meet its stringent requirements, which outline clear obligations for ICT risk management, incident reporting, and third-party oversight. Regulatory bodies, such as the Financial Conduct Authority (FCA), are expected to align their oversight with DORA’s standards, increasing the need for firms to adopt proactive compliance strategies.
What DORA Entails:
DORA requires firms to implement thorough ICT risk management strategies, conduct regular testing of their operational resilience, and have robust incident reporting procedures in place. By providing detailed, prescriptive guidelines, DORA aims to create uniformity and raise standards across the financial markets. Additionally, it extends its regulatory oversight to critical third-party ICT providers, including those outside the EU, ensuring the protection of financial services against ICT-related disruptions [2].
In this section, we will cover:
- Who will be affected by DORA?
- What firms are expected to do?
- The FCA’s perspective on DORA?
Who will be affected by DORA?
Although DORA primarily applies to financial institutions within the EU, its impact extends beyond EU borders. UK-based entities are not exempt, especially those with significant operations in the EU or those that provide critical ICT services to EU financial firms. This regulation applies to a broad range of financial services, including banks, insurance companies, investment firms, payment institutions, and ICT providers. Financial institutions in the UK that have EU-based clients will also need to align with DORA’s requirements. Overall, the regulation will affect over 22,000 financial entities and ICT service providers across the EU, along with external ICT infrastructure that supports these institutions [3].
In effect, most financial firms operating in the UK with EU clients or branches/offices should comply.
What firms are expected to do?
The regulation is structured around what has been referred to as the “Five Pillars of DORA,” [4;5], which financial firms must adhere to:
1. ICT Risk Management: Requires institutions to establish governance frameworks to identify and manage ICT risks.
2. Incident Reporting: Mandates the timely reporting of significant ICT-related incidents to authorities and relevant stakeholders.
3. Digital Operational Resilience Testing: Outlines the need for regular testing of ICT systems, including penetration testing and scenario-based assessments, to ensure they can withstand potential disruptions.
4. Third-Party Risk Management: Requires financial institutions to effectively manage and monitor third-party ICT providers, detailing their responsibilities in the process.
5. Information Sharing Arrangements: Encourages the sharing of threat intelligence and best practices between financial entities to bolster collective resilience.
These pillars form a cohesive framework designed to fortify the financial sector against ICT-related risks. Full compliance with these pillars is essential for firms subject to DORA, ensuring they meet regulatory expectations while enhancing their operational stability.
The FCA’s perspective on DORA?
While EU financial institutions have been given clear guidance on what to expect from DORA, UK firms have received less direction from the FCA. To date, the FCA has largely focused on its own operational resilience regulations, which could suggest that DORA may not have as significant an impact in the UK as elsewhere. This lack of engagement can lead to uncertainty among UK firms, raising concerns that some may not fully understand DORA’s relevance. It may be necessary for the FCA to provide further guidance to ensure UK firms are not left unprepared, leaving their businesses at risk notably of EU enforcement. It is also possible that a lack of compliance may result in fewer cross-border commercial opportunities.
However, while the FCA has been relatively quiet, industry experts such as PwC and KPMG see DORA as an opportunity. PwC highlights that, despite introducing new regulatory demands for UK firms, DORA presents a valuable opportunity for firms to strengthen their cybersecurity and operational resilience [5]. KPMG similarly frames DORA as both a challenge and an opportunity, offering firms the chance to improve their digital security and operational robustness [6;7]. Despite the FCA’s limited commentary, UK financial firms should recognise that compliance with DORA can serve not only as a regulatory obligation but also as an advantageous strategy for enhancing a firms’ overall resilience and cybersecurity, Firms should be proactive in aligning with DORA’s requirements, seeing it as a chance to future-proof their operations in an increasingly digital landscape.
In conclusion…
As financial institutions continue to face the evolving challenges posed by digital threats and ICT-related risks, DORA provides a clear and structured path to strengthening operational resilience. By enforcing a standardised framework across the EU, the regulation promotes greater consistency and protection for the financial sector. UK-based firms should take the steps to comply with DORA’s provisions, recognising the long-term benefits of improved cybersecurity, operational stability and a chance to do more business with the EU.
At Leo’ RegTech, we specialise in helping firms navigate these complex regulatory requirements. Our holistic platform for compliance professionals offers comprehensive tools to ensure your business meets DORA’s operational resilience standards, from automating risk assessments to streamlining compliance reporting.
How Leo Can Help You Navigate DORA
As the deadline for DORA approaches, Leo is here to offer your business tools that meet the regulatory changes. With our advanced solutions, we can help you address DORA’s key requirements efficiently. Whether it’s managing third-party risks through our vendor due diligence reports, or aiding incident reporting with our registers, which connect automatically to risk reports.
With Leo’s detailed report structures, linked to calendar deadlines and clear delegation to nominated staff, we can help compliance teams identify any issues ahead of time, demonstrate regulatory engagement, and provide timely remediation actions, all in one system. The Leo Regulated Firm Solution software for example offers a systematic approach to compliance risk assessment, record keeping, monitoring and even training for DORA on cyber security risks. With tools for rectification, it mitigates or reduces entirely compliance risks, further providing an audit trail to demonstrate how firms are remaining compliant. Our Leo engineers will be happy to show you the DORA compatible tools and modules we have prearranged.
With Leo, you can focus on core compliance oversight while our software helps you organise the overall regulatory framework. If you would like to hear more about Leo, and how we can help, click the link below.
[1] Microsoft says early June service outages were cyberattacks | Reuters
[2] DORA regulation: all your questions answered – KPMG Luxembourg
[3]DORA and its impact on UK financial entities and ICT service providers – PwC UK
[4]The Five Pillars of DORA: What They Mean and How to Comply | Daisy UK
[5] The Digital Operational Resilience Act (DORA) | Deloitte UK
[6] The EU Digital Operational Resilience Act (kpmg.com)
[7] Countdown to EU Digital Operational Resilience Act – KPMG UK