DORA in the UK: What You Need to Know

As the deadline for compliance with the EU’s Digital Operational Resilience Act (DORA) draws near, financial firms and their ICT suppliers across the EU are gearing up to meet the January deadline.

The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

In the wake of the UK’s exit from the EU, many UK firms—especially smaller third-party ICT suppliers —may be under the impression they’re in the clear, not subject to these new requirements for cyber risk management and operational resilience

That assumption is likely wrong. In addition to DORA applying to UK-based entities that undertake any of the broad range of financial market activities captured by the Act within the EU, so-called “Critical ICT Third Party Providers” (CTTPS) to Europe’s financial firms will be subject to DORA’s requirements too. Even providers not deemed CTTPS under the criteria set out in recently-adopted delegate regulations will likely see requirements pushed down the supply chain and built into their contractual relationships with financial firms. 

It’s likely DORA will impact thousands of UK entities, many subject to these kinds of standards for the first time.

There is some good news for in-scope UK firms: they may already be compliant with (or working toward) similar regulations, guidelines and standards, such as SS2/21, ISO27001, that align closely with DORA. That means much of the work for UK organisations may already be done. The Bank of England, Prudential Regulation Authority, and Financial Conduct Authority have also been working on new operational resilience frameworks that are likely to share guidance with DORA.

But while there are some similarities, there are key aspects of DORA that UK companies need to know about:

  1. Intragroup outsourced services are within scope. If your company is based in the UK and operates in the EU, you’re clearly in scope. But if your IT services are provided by an intragroup company in Madrid for example, that Madrid entity is also in scope. The group in Madrid will need to provide demonstrable proof of compliance in order for you to continue this model of operations. This is one of the key tenets of DORA—bringing the entire ecosystem of financial service providers to the same level of operational resilience.
  2. DORA isn’t just about cyber security. DORA also covers service availability and market risks. That includes issues like a hostile takeover, business insolvency and general loss of service. DORA requires that organisations have a plan for continuity of operations if a critical supplier goes bust and that you have the legal right of access to your data. Scenario testing is required for these circumstances as well, beyond the Red teaming and Purple teaming mandate for cyber compliance. 
  3. DORA compliance is the baseline. Not only are similar frameworks in the UK already in place, but we’re also seeing these operational resilience regulations being adopted on the global scale, including in the U.S., Singapore and other areas. The goal of these requirements is to ensure global economic stability. After all, whatever threats exist in Europe either already have or will affect the world. That means UK organisations need to be thinking beyond DORA about not only compliance, but also mitigating risk on a global scale.

The age of “move fast and break things” is over. Today, companies need to move fast and bake security and resilience into their systems by design to make sure they can keep moving fast. 

That can be a daunting task, which is why NCC Group is here to help. 

Our comprehensive DORA readiness assessment provides a one-stop-shop that includes the guidance and experience you need to achieve DORA compliance. 

To get started, or to learn more about DORA, visit our website today.