Date: 12 June 2024
The European Union has taken a strong stand to improve operational resilience of its financial entities in a digital world. The EU Digital Operational Resilience Act that comes into effect in January 2025 aims to enforce harmonised risk regulations across the European financial sector.
In its quest to enhance Information and Communications Technology (ICT) related operational resilience, the EU DORA has many prescriptive requirements of financial entities. The important thing to note is that the DORA mandate goes beyond the financial entities themselves. DORA lays a lot of emphasis on the risk management capabilities of the ICT service providers and infrastructure that supports EU financial institutions.
If you’re a business based in the UK, you may think you are not directly impacted by DORA. But guess what - you probably are. There are several ways, direct and indirect, in which the implications of the EU DORA go beyond just the European Union.
Take a look below at the 3 main ways in which DORA will impact businesses in the UK.
Our recommendation? Regardless of whether you figure out you’re being impacted or not, let the EU DORA be that trigger for accelerating your cyber resilience maturity. Whether you’re currently being affected by DORA implementation or not, in an increasingly globalised world, you may soon feel its effects. What’s more? Many sources have been suggesting since 2022 that a UK-equivalent of DORA may be expected to emerge soon too.
So what can you do and how do you up your operational resilience maturity levels? More on that later.
Topics covered in this article:
1. Top 3 ways in which EU DORA impacts UK businesses
2. How can UK businesses become DORA compliant?
How will the EU DORA Impact Businesses in the UK?
#1. Direct Impact: The simplest way in which a UK business comes under the purview of DORA is if it’s a financial entity with operations in the EU or one that caters to EU citizens. Secondly, if you’re an ICT Service Provider to financial entities in the EU, you’re impacted by DORA.
Since DORA places stringent scrutiny requirements for subcontractors too, you may not directly be providing services to EU financial institutions, and yet you could be impacted by DORA requirements.
#2. Cost of Compliance: With any upcoming regulatory requirement or update to existing regulations, there is always an impending cost of compliance. And that will also be the case of UK businesses impacted by DORA.
On the subject of third-party ICT providers, DORA says, “Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards.” [Chapter V, Section 1, Article 28]
This indicates that DORA expects every third-party service provider, whether in the EU or outside it, to comply with its exacting standards of digital operational resilience.
However, it further adds that contractual agreements with third-parties must include “requirements for the ICT third-party service provider to implement and test business contingency plans and to have in place ICT security measures, tools and policies that provide an appropriate level of security for the provision of services by the financial entity in line with its regulatory framework.” [Chapter V, Section 1, Article 30]
This means that businesses in the UK also need robust Cyber Incident Response Plans, policies and processes. They also need to test the effectiveness of these plans through regular operational resilience tests such as Penetration tests and scenario-based Cyber Tabletop Exercises. For more information on how to conduct these digital operational resilience tests, read our detailed blog on EU DORA and Cyber Tabletop Testing for Operational Resilience.
#3. Impact on Opportunities in the EU: This one is quite straightforward. If you’re looking to do business on a global level, including in the EU, you have to comply with the standards that DORA mandates for third-parties. This is especially true for technology providers and those who will come under the category of critical infrastructure support.
Many experts are suggesting that the EU DORA standards will soon serve as a global benchmark. In order to remain competitive globally, it will be advisable to at least achieve the basic requirements that DORA has laid out. Several organisations across the world may soon prefer to partner with ICT service providers who meet DORA standards, not just out of regulatory obligations, but as a way to secure their supply chain as far as possible. It is then, in your business interest to use the DORA mandate as a yardstick and enhance your cyber resilience posture accordingly to remain relevant, not just in the EU but the world over.
How can UK Businesses become DORA-ready?
If you’re a UK-based financial institution that operates in the EU, you have to achieve DORA compliance - there’s no two ways about it. You need to work on your ICT Risk Management framework, Cyber Incident Reporting and Operational Digital Resilience Testing with immediate effect.
If you’re a third-party service provider, you need to ensure that you meet the standards laid out by DORA for the supply chain in order to remain competitive. Some of the steps you can take immediately to achieve this goal include:
- Enhance your cybersecurity posture: While many DORA requirements overlap with those already existing in the UK, there will still be some gaps. Hiring an expert cybersecurity consultant to do a gap analysis and a cybersecurity risk assessment is a great first step.
If you currently don’t have complete confidence in your digital operational resilience posture, you may want to look at a service like our Virtual Cyber Consultant. In a very cost effective and flexible format, our deeply experienced cybersecurity practitioners can help you plug the gaps that currently exist in your enterprise risk management framework. They can help you identify all the areas in which you may be lacking as an ICT service provider that is under the DORA remit and work with you on achieving compliance.
- Demonstrate proof of your digital and cyber resilience: DORA allows financial entities in the EU to ask critical infrastructure support providers for proof of their operational resilience plans and policies.
This means you need a robust cybersecurity incident response plan, playbook, and a cybersecurity policy with immediate effect. You also need to validate the effectiveness of this documentation through regular scenario-based testing as discussed earlier. - Review existing contracts: You may need to review and change parts of some contracts with your existing EU clients. This might include new clauses about risk management and incident reporting as well as data sharing. You might also need to add new service level agreements, besides clearly delineating exit strategies for the partnership.
Final Word
While the advent of any new regulatory requirement does seem daunting at first, with a clear and concise roadmap, UK businesses can achieve DORA compliance seamlessly over the next few months. The first step in this direction would be to determine what the exact impact on your nature of business will be and proceed from there. Get help from digital resilience and DORA experts if need be. And remember, that each regulation you achieve compliance with just makes you a more attractive partner for businesses in other geographies and industries.
