Back to News
Article Headers Merje (19)
Share this Article

How EU regulatory changes will impact operational resilience from 2025 and how companies can prepare now

  • Publish Date: Posted 3 months ago
  • Author:by MERJE

The EU's recent Digital Operational Resilience Act (DORA) signifies a change in its strategy for ensuring the strength and dependability of digital operations in the financial sector.

Designed to tackle the increasing threat of cyber attacks and the growing reliance of financial entities (FEs) on digital technology, DORA introduces a comprehensive regulatory framework aimed at bolstering the digital operational resilience of FEs in the EU.

Beyond impacting businesses based in the EU, as the UK navigates its post-Brexit relationship with the EU, it is crucial to grasp how the UK's equivalent plans for ensuring operational resilience influence businesses. It’s also important to consider how this more advanced EU legislation could affect technology businesses in the UK, irrespective of whether it directly serves FEs in the EU, but also gives UK businesses a competitive advantage if navigated strategically.

Overview of DORA

Effective from January 16, 2023, with an application date set for January 17, 2025, DORA aims to strengthen IT security and operational resilience across various FEs such as banks, insurance companies and investment firms. Its primary goal is to ensure that the European financial sector remains robust when faced with significant operational disruptions. To achieve this objective, it moves towards aligning existing operational resilience regulations throughout the financial sector and includes third-party ICT service providers within its ambit.

DORA introduces a series of technical requirements covering four key areas:

  • ICT risk management and governance

  • Incident response and reporting

  • Digital operational resilience testing

  • Third-party risk management

Scope, application and enforcement of DORA

DORA's jurisdiction spans across the entire EU financial landscape, encompassing a broad spectrum of institutions, ranging from traditional banks and investment firms to non-traditional entities like crypto asset service providers and crowdfunding platforms.

Notably, it also impacts businesses typically beyond financial regulation scopes, including third-party ICT service providers such as cloud services and data centres.

The significant effects on these technology businesses include:

  • Indirect exposure due to FEs' obligations to manage their third-party risks

  • Direct exposure if such entities are identified as critical third parties (CTPs)

This marks the first instance where technology businesses fall under direct oversight by financial services regulators. A unique regulatory scenario may arise where a regulator's jurisdiction covers both parties involved in the same ICT services agreement.

Emphasising proportionality

DORA advocates for tailored compliance measures based on the size and nature of the regulated entity. Key duties involve implementing comprehensive ICT risk management frameworks, establishing incident management protocols, conducting regular resilience assessments and addressing third-party risks.

How it will be enforced

It will be managed by designated regulators in each EU Member State (Competent Authorities) empowered to levy penalties for non-compliance. Furthermore, CTPs will be overseen directly by lead supervisors from European Supervisory Authorities. DORA also promotes voluntary information exchange among financial entities regarding evolving cyber threat landscapes.

What is the UK’s DORA equivalent?

In light of the UK's post-Brexit regulatory environment, it is crucial for UK businesses serving as FEs or offering ICT services to FEs to comprehend the implications of DORA.

Prior to Brexit, UK financial regulations closely mirrored EU standards, facilitating cross-border activities for UK-based financial entities.

Post-Brexit, though retaining a significant portion of EU financial legislation, the UK has started diverging from some EU regulations. As a result, the UK is developing its own DORA equivalent (UK DORA), necessitating UK technology firms with FE clients in the EU to navigate dual regulatory frameworks concurrently.

Next steps for UK firms

Firms in the UK must, by now, have ascertained any vulnerabilities in their operational resilience and will have identified their critical business functions or services, set impact tolerances for the maximum tolerable disruption and conducted adequate mapping and testing to a level of sophistication necessary to do so.

From the end of March 2022 to March 31, 2025 firms must perform mapping and testing so that they are able to remain within their impact tolerances for each important business service. They must also have made the necessary investments to enable them to operate consistently within their impact tolerances.

In addition, they are expected to have established comprehensive communication strategies, both internally and externally, to address operational disruptions swiftly and efficiently and reduce the harm caused. In formulating their external communication approach, firms must have in place mechanisms for issuing crucial alerts or guidance to consumers and other relevant stakeholders, even when a direct communication channel is absent.

For UK businesses operating in the EU

Direct impact

UK FEs and ICT service providers within the EU must comply with DORA's stipulations. FEs must establish strong ICT risk management frameworks, incident reporting procedures and conduct digital operational resilience testing. UK technology providers labeled 'critical' under DORA could face direct regulation by EU authorities, potentially necessitating the creation of EU-based subsidiaries to ensure compliance.

Indirect impact

DORA includes the requirement for FEs to oversee their ICT service supply chains thoroughly. This entails examining not only immediate providers but also subcontractors several levels down if they significantly support the ICT services in use. Consequently, even UK providers not serving FEs in the EU may still be affected by DORA, potentially influencing their market access and competitive positioning globally due to compliance expectations set by the regulation.

Outlook for UK businesses

Businesses subject to DORA are likely to incur additional costs related to adapting processes and systems to meet regulatory requirements. However, there are opportunities for UK technology firms amid these challenges as they position themselves as global technology leaders. Strategic planning for DORA compliance can lead to investments in technology, processes and skill development, offering a competitive edge through trustworthiness and innovation recognised by clients and regulators.

As details of UK DORA remain pending, it remains to be seen how local business landscapes will evolve alongside the parallel regulatory regime taking shape in the EU.

How do businesses feel about the onset of DORA?

The BCI Operational Resilience Report 2024 indicates that organisations in the UK finance and banking sector are generally optimistic about meeting regulatory expectations, although this confidence has slightly waned compared to the previous year with impending deadlines approaching in 2025.

Notably, about 60% of organisations have embraced operational resilience, not only for compliance reasons but also as good practice, showcasing its expanding influence beyond financial services.

The surge in organisations incorporating third-party guidance into their operational resilience strategies is significant. Last year, 40.3% of businesses cited third-party stakeholder relationships as a key motivator for implementing these programs, which has increased to 47.3% this year.

The report highlights that various sectors beyond financial services are aligning with operational resilience regulations worldwide. A majority of organisations (66.2%) are adhering to one to five regulatory frameworks, necessitating additional resources like personnel to maintain compliance.

Managing compliance across multiple countries poses challenges due to varying regulatory landscapes between jurisdictions. Despite differing definitions of operational resilience across sectors and regions, there are common components universally recognised as essential within operational resilience programs, such as identifying critical business services and suppliers, acknowledged by almost all surveyed entities.

A recent report, sponsored by software firm Riskonnect, revealed that 88.3% of organisations have taken significant steps towards enhancing their operational resilience. The report also highlighted the increasing importance of operational resilience across various sectors, with a particular focus on the financial services industry.

According to Rachael Elliott, Head of Thought Leadership for The BCI, the year 2024 marked a crucial period for financial institutions due to impending regulatory deadlines in 2025. She emphasised the establishment of a more structured approach to operational resilience despite ongoing challenges related to defining key concepts in this field.

If you'd like to discuss your firm's operational resilience and hiring plans in this area, get in touch with our recruitment experts who can provide all levels of skillset across permanent and interim contracts.