How does the Digital Operational Resilience Act impact financial service providers and ICT suppliers in the United Kingdom?
As the January 2025 deadline for compliance with the EU's Digital Operational Resilience Act (DORA) draws near, financial firms and their information and communication technology (ICT) suppliers across the EU are gearing up to meet it.
In the wake of the UK's exit from the EU, many UK firms—especially smaller third-party ICT suppliers—may be under the impression they're in the clear and not subject to these new requirements for cyber risk management and operational resilience.
That assumption is likely wrong.
In addition to DORA applying to UK-based entities that undertake any of the broad range of financial market activities captured by the Act within the EU, so-called "Critical ICT Third Party Providers" (CTTPS) to Europe's financial firms will be subject to DORA's requirements as well. Even providers not deemed CTTPS under the criteria set out in recently adopted delegate regulations will likely see requirements pushed down the supply chain and built into their contractual relationships with financial firms.
It's expected that DORA will impact thousands of UK entities, many of which will be subject to these kinds of standards for the first time.
There is some good news for in-scope UK firms: they may already be compliant with (or working toward) similar regulations and standards, such as SS2/21 and ISO27001, that align closely with DORA. That means much of the work for UK organizations may already be done. Not to mention, the Bank of England, Prudential Regulation Authority, and Financial Conduct Authority are also working on new operational resilience frameworks that are likely to share guidance with DORA.
But while there are some similarities, there are also specific aspects of DORA that UK companies need to know about:
4 important considerations for UK DORA compliance
Intragroup outsourced services are within scope.
If your company is based in the UK and operates in the EU, you're clearly in scope. However, for example, if an intragroup company in Madrid provides your IT services, that Madrid entity is also in scope. The group in Madrid will need to provide demonstrable proof of compliance in order for you to continue operations. This is one of the key tenets of DORA—bringing the entire ecosystem of financial service providers to the same level of operational resilience—yet most organizations are unaware that intragroup outsources are in scope.
DORA is not just about cyber security.
While most of the industry is focused on the cyber security side of operational resilience, DORA also covers service availability and market risks. That includes issues like a hostile takeover, business insolvency, and general loss of service for virtually any reason. A firewall can't protect you if a critical service provider goes bankrupt, so DORA requires that organizations have a plan for continuity of operations if a supplier goes bust and that you have the legal right to access your data. Scenario testing is also required for these circumstances, beyond the Red and Purple teaming mandate for cyber compliance.
DORA compliance is the baseline.
Not only do we already have similar frameworks in the UK, but we're also seeing these operational resilience regulations being adopted globally, including in the US, Singapore, and other areas. The goal of these requirements is to ensure global economic stability. After all, threats existing in Europe either already have or will affect the world. That means UK organizations need to think beyond DORA and worry about both compliance and risk mitigation on a global scale.
Embracing change drives innovation.
While some argue that new regulation creates hurdles to business, more often than not, it fuels resilient markets and market growth. We saw it drive innovation when countries banned CFCs in aerosol cans and lead paint: new formulas and markets emerged. Regulations like DORA are the same and are simply a reality of doing business in the digital age. Finance only works with trust, and the sooner you embrace these frameworks as an opportunity to prove your resiliency and trustworthiness, the quicker you can innovate on product and service delivery around them.
The age of "move fast and break things" is over. Today, companies need to act quickly and bake security and resilience into their systems by design to ensure they can keep their growth on track.
There's nothing outrageous about understanding your supply chain, identifying and mitigating risks, and documenting your resilience to prove business continuity capabilities even in the face of threats. That said, it can be a daunting task—that's why NCC Group is here to help.
Our comprehensive DORA readiness assessment provides a one-stop shop for the tools, guidance, and experience you need to achieve DORA compliance. From policy and protocol creation and operational testing to reporting and software resilience, let NCC Group be your partner for proven governance, sound implementation, and risk remediation solutions.
Regulatory Compliance Solutions Lead, Escode | NCC Group
As Regulatory Compliance Solutions Lead, Wayne Scott liaises with the global financial services regulators and provides valuable insight into consultation responses in order to shape future regulation.
Within his role inside NCC Group, he works with internal teams to ensure that products meet the regulatory requirements and advises systemic financial institutions and their suppliers on compound and accumulative non-cyber risk.
Mark DORA compliance off your checklist.
Get the jump on regulatory requirements with a comprehensive DORA readiness assessment or reach out to our team with questions about the compliance process for your unique business.