The EU's Digital Operational Resilience Act (DORA) represents a shift in the EU's approach to ensuring the robustness and reliability of digital operations within its financial sector. Intended to address the rising threat of cyber attacks and the financial sector's increasing reliance on digital technology, DORA sets out a comprehensive regulatory framework aimed at enhancing the digital operational resilience of financial entities (FEs) in the EU.
However, the impact is not limited to EU-based businesses. As the UK navigates its post-Brexit relationship with the EU, it's important to understand not only how the UK's equivalent plans to ensure operational resilience impact UK businesses but also how the (more progressed) EU legislation could not only impact a technology business in the UK, regardless of whether it directly serves FEs in the EU, but also give UK businesses a competitive advantage if navigated strategically.
DORA, which entered into force on 16 January 2023, with an application date set for 17 January 2025, aims to fortify the IT security and operational resilience of a broad spectrum of FEs, including banks, insurance companies, and investment firms. Its core objective is to ensure that the European financial sector remains resilient in the face of severe operational disruptions. To that end, it goes some way toward harmonising the existing operational resilience rules across the financial sector and includes information and communication technology (ICT) third-party service providers within its scope.
DORA introduces a set of technical requirements across four principal domains:
Scope
DORA's reach extends across the entire EU financial ecosystem, encompassing a wide range of institutions from traditional banks and investment firms to non-traditional entities such as crypto asset service providers and crowdfunding platforms. However, notably, it also impacts businesses typically outside the purview of financial regulations: third-party ICT service providers such as cloud services and data centres. The most significant effects on these technology businesses are:
The latter represents the first time that technology businesses have been under the direct oversight of the financial services regulators. This will lead to a unique regulatory dynamic where a regulator's remit could include parties on both sides of the same ICT services arrangement.
Proportionality
DORA emphasises a proportionate application, to some extent scaling compliance expectations relative to the size and nature of the regulated entity. Key responsibilities include establishing comprehensive ICT risk management frameworks, developing incident management processes, conducting regular resilience testing, and managing third-party risks.
Enforcement
The enforcement of DORA will be overseen by designated regulators within each EU Member State (Competent Authorities) with the power to impose penalties for non-compliance. Additionally, CTPs will be directly supervised by lead overseers from the European Supervisory Authorities. DORA also encourages voluntary information sharing among financial entities regarding the emerging landscape of cyber threats.
It is important for UK businesses, whether they are themselves FEs or they provide ICT services to FEs, to understand the implications of DORA in the context of the UK's post-Brexit regulatory environment.
Pre-Brexit
Before Brexit, the UK's financial regulations were closely aligned with EU standards, including those related to digital operational resilience. This alignment allowed for cross-border operations for UK-based financial entities.
Now
After leaving the EU, the UK retained a substantial part of the EU's financial legislation but has since begun to review and, in some cases, diverge from EU regulations. To that end, the UK is in the process of introducing its own DORA equivalent (UK DORA), meaning that UK technology businesses with FE customers in the EU will need to navigate two regulatory regimes in parallel.
The EU's DORA is significantly more progressed than UK DORA, but insights from the UK's existing approach to operational resilience may be informative for making comparisons. Both the UK and EU frameworks mandate the identification of critical business services or functions and require some form of operational resilience testing. The UK's existing approach involves firms identifying "important business services" and determining their "impact tolerance," with detailed considerations of various factors affecting service disruption. EU DORA mandates the creation of an ICT risk management framework, including digital resilience strategy and governance, but is less granular in requiring businesses to set impact tolerances for each critical function or service.
Direct impact
Indirect impact
As the UK seeks to build its status as a global technology hub, it's worth mentioning the opportunities created by DORA for UK technology businesses. FEs (and ICT providers) will need to strategically plan for DORA compliance, considering the implications for ICT risk management, third-party provider relationships, and incident response mechanisms.
This may involve investments in technology, processes, and skills development, creating an opportunity for those at the forefront of technological innovation as well as industry heavyweights, whose trust and reliability in the eyes of customers (and regulators) could become an increasingly competitive advantage.
With details of UK DORA still to be finalised, we have yet to see how the landscape will evolve locally for UK businesses, noting that this will be a parallel regime to the one taking shape in the EU.
Disclaimer: This article was written with the help of AI but also by Michael Yates, Andi Terziu and Alisha Persaud.
1 de 6 Publications
Jo Joyce provides legal and emotional counsel to those who've suffered or may suffer a cyber attack.
2 de 6 Publications
Martijn Loth and Dominique Lensink look at incoming EU cyber security rules for connected devices.
3 de 6 Publications
Prachi Vasisht and Debbie Heywood compare the UK's Product Security and Telecommunications Infrastructure Act with the EU's draft Cyber Resilience Act.
4 de 6 Publications
Paul Voigt and Alexander Schmalenberger look at Germany's progress on NIS2 implementation.
6 de 6 Publications
Retour