Menu

Exploring DORA: Beware Regs That Travel

Exploring DORA: Beware Regs That Travel

Comparing UK Operational Resilience and Critical Third-Party Regulations with the EU’s DORA, and why UK firms are impacted more than they may realise. 

I’ve previously talked about the Volatile, Uncertain, Complex, Ambiguous and Connected (VUCA-C) world of financial services – and how regulatory frameworks play a key role in ensuring stability, security, and operational resilience. The current most significant regulatory regimes—the EU’s Digital Operational Resilience Act (DORA) and the UK’s Operational Resilience, Outsourcing and up-coming Critical Third-Party regulations—are defining how business models, systems, process and third-parties all knit-together to form the backbone of those things Customers rely on for day-today living – and which are coming under increasing threat of disruption, from an unprecedented number of triggers and causes. This is even more complex as technology and AI becomes increasingly embedded (and integral) to financial services. 

While this is intended to be a summary, there is no doubt a raft of subtlety, differing views, and complexity in individual pieces of the detail – especially as the UK takes a more principle-based approach – which, while more contextual, may cause a greater level of ambiguity.  

1. DORA: A European Perspective 

What is DORA? 

The Digital Operational Resilience Act aims to bolster the IT security of financial entities— banks, insurers, and investment firms within the EU. It is set to be fully effective from January 2025. It goes beyond traditional risk management by focusing on digital systems, cyber resilience, and critical third parties. Here’s what you need to know: 

  • Purpose: DORA is looking to ensure that the financial sector remains resilient during severe disruptions. 
  • Scope: It applies to twenty different types of financial entities and ICT third-party service providers. 

DORA’s Key Requirements:  

  • ICT Risk Management: Establishing requirements for managing ICT risks 
  • Third-Party Risk Management: Monitoring and managing risks posed by third-party service providers 
  • Digital Operational Resilience Testing: Conducting basic and advanced testing 
  • Reporting ICT Incidents: Reporting major ICT-related incidents to competent authorities 
  • Oversight of Critical Third Parties: Implementing an oversight framework for critical ICT third-party providers. 

There are aspects of DORA that differ in approach to the UK regime, and so it’s worth thinking about the following key aspects: 

  1. Prescriptive Approach: DORA adopts a top-down approach, providing legally binding requirements for firms. It leaves little room for interpretation, emphasising specific outcomes. 
  1. Critical Third Parties: DORA expands its regulatory perimeter to include critical third parties—external service providers whose failure could impact financial stability. 
  1. Cyber Resilience: DORA emphasises robust cybersecurity practices, ensuring firms can withstand cyber threats and disruptions. 

Impact on UK Businesses: 

While DORA is an EU initiative, its impact extends beyond EU borders. UK-based financial institutions operating within the EU must comply. Additionally, DORA sets a precedent for other global jurisdictions considering similar regulations, in the same way as the UK regulations do– therefore, what we see is equivalence in principle, but differences in how they’re administered. 

2. UK Operational Resilience and Outsourcing Regulations 

The UK’s approach complements DORA (or DORA complements the UK’s approach) – either way, there is equivalence in emphasising operational resilience. With the key points including: 

  • Mapping Dependencies: Firms must understand their people, processes, technology, and third-party dependencies 
  • Outsourcing Rules: The FCA defines outsourcing as arrangements where a service provider performs a process on behalf of a firm. Although, outsourcing requirements vary based on the type of function and materiality 

Operational Resilience Strategy: Firms set Impact Tolerances and levels of Intolerable Harm for Important Business Services and test their ability to remain within those tolerances during disruptions. 

Principles-Based Approach: 

However, the UK’s approach differs – rather than strict rules, it focuses on principles. So, regulators assess firms based on outcomes allowing flexibility (and some ambiguity) in its implementation. 

Critical Third Parties in the UK: 

The UK recognises the importance of critical third parties but doesn’t yet explicitly regulate them as DORA does. However, the upcoming UK Critical Third Party (CTP) regime aims to address this gap, and the UK’s CTP regime certainly expands the regulatory perimeter to include critical third parties that DORA might not be so prescriptive in covering: 

  • Definition: CTPs are third-party service providers whose failure or disruption could impact the stability of the UK financial system 
  • Designation: HM Treasury designates CTPs based on regulators’ recommendations 
  • Rules and Enforcement: The Bank of England, PRA, and FCA enforce rules, gather information, and conduct investigations on designated CTPs 

Comparing DORA and UK Regulations: 

The table below gives a summary level comparison of the regulations under DORA (EU), and the UK frameworks – with an interesting comparison to the US regulations to further illustrate maturity and regulatory equivalence: 

Aspect DORA (EU) US Regulations UK Regulations 
Scope Financial entities within the EU Financial entities within the US Financial entities within the UK 
Incident Reporting Mandatory reporting within 24 hours of detection Varies by state; generally within 72 hours Mandatory reporting within 72 hours 
Risk Management Requires comprehensive risk management frameworks Emphasises risk management but less prescriptive Requires comprehensive risk management frameworks 
Third-Party Management Strict guidelines for third-party risk management Emphasises third-party risk management but less prescriptive Strict guidelines for third-party risk management 
Penalties Significant fines for non-compliance, up to 2% of annual turnover Varies by state; can include fines and other penalties Significant fines for non-compliance, up to 4% of annual turnover 
Data Protection Aligns with GDPR, emphasising data protection and privacy Aligns with various state laws, including CCPA Aligns with GDPR, emphasising data protection and privacy 
Governance Requires a dedicated governance framework for ICT risk management Emphasises governance but less prescriptive Requires a dedicated governance framework for ICT risk management 
Testing and Audits Mandatory regular testing and audits of ICT systems Varies by state; generally recommended but not always mandatory Mandatory regular testing and audits of ICT systems 
Operational Resilience Emphasises operational resilience and continuity planning Emphasises operational resilience but less prescriptive Emphasises operational resilience and continuity planning 
Regulatory Oversight Strong regulatory oversight with regular reviews and updates Varies by state; generally strong but less centralised Strong regulatory oversight with regular reviews and updates 

4. Implications and Recommendations 

  • Business Impact: DORA affects not only EU-based firms but also UK businesses operating in the EU. Prepare for cross-border implications. 
  • Risk Mitigation: Identify critical functions impacted by DORA. Strengthen risk management practices and test resilience. 
  • Collaboration: Engage with regulators, industry peers, and legal advisors to navigate these changes effectively. 

What Should Firms Do? 

  1. Assess Impact: Identify which business functions and critical third parties are most affected by DORA 
  1. Collaborate: Engage with regulators, industry peers, and third parties to align practices 
  1. Enhance Cyber Resilience: Strengthen cybersecurity measures 
  1. Scenario Testing: Conduct realistic simulations to test operational resilience 
  1. Stay Informed: Monitor developments in both DORA and UK regulations 

What Can Help? 

DORA and UK regulations both converge on the need for robust operational resilience. By understanding and mapping complexity – and proactively adapting – firms can thrive in an increasingly complex and ambiguous landscapes. This convergence is sensible, otherwise the alternative is regulatory arbitrage and chaos. It is inevitable that all territories follow suit, otherwise those that do not live up to standard are likely to become unreliable partners – what this means is that it is likely regulations will drift to the most robust standards, by default. 

I happen to believe the UK has this right, when compared to the more prescriptive but limited regimes, and are around two years ahead.  

But compliance is not just about ticking boxes – it is about building resilience that withstands the technology and multi-layered models we live with today. For example, Altus’ PEAK tool set, and industry reference models map not only the processes supporting an Important Business Service, but also all the interfaces and participants in the value chain too – with an understanding of all the third-party service providers and their inherent capabilities and services. And this is where, similarly to the UK regime, Altus are ahead in mapping capabilities by some margin. 

This capability led approach is ideal for a COO, CRO or Compliance Officer looking to gain assurance that their Operational Resilience is not only embedded, but visually and culturally embedded – to be understood by instinct rather than by documentation. So, when things do go wrong you can put your finger on it, and its impacts and resolutions, in the shortest space of time to take decisive actions rather than waste that time just trying to unpick things. 

Keep exploring...

Schools out for summer – help I need resilience!
  |    |    |  
Operational Resilience
  |    |    |  
Supporting Operational Resilience

Subscribe

Don't miss out on news and opinion pieces from Altus experts

Insights - Subscribe form

Name
Business email preferable
Please confirm what you would like to receive from us