How does the Digital Operational Resilience Act impact financial service providers and ICT suppliers in the United Kingdom?

Written By Bilal Khan

Impact of the Digital Operational Resilience Act on Financial Service Providers and ICT Suppliers in the UK

As the January 2025 compliance deadline for the EU's Digital Operational Resilience Act (DORA) approaches, financial firms and their ICT suppliers across the EU are preparing to meet its requirements.

Despite the UK's exit from the EU, many UK firms, particularly smaller third-party ICT suppliers, may mistakenly believe they are exempt from these new cyber risk management and operational resilience requirements.

This assumption is likely incorrect.

DORA applies to UK-based entities engaged in the wide range of financial market activities covered by the Act within the EU. Additionally, "Critical ICT Third Party Providers" (CTTPs) to Europe’s financial firms must comply with DORA’s requirements. Even providers not classified as CTTPs under recently adopted delegate regulations will likely face these requirements through their contractual relationships with financial firms.

It is anticipated that DORA will affect thousands of UK entities, many of which will be encountering these standards for the first time.

Positive News for UK Firms

UK firms that fall within DORA’s scope might already be compliant with similar regulations and standards, such as SS2/21 and ISO27001, which closely align with DORA. This means much of the preparatory work for UK organizations may already be in progress. Additionally, the Bank of England, Prudential Regulation Authority, and Financial Conduct Authority are developing new operational resilience frameworks likely to align with DORA.

Specific Aspects of DORA for UK Companies

1. Intragroup Outsourced Services

Intragroup outsourced services fall within DORA’s scope. If a UK-based company operates in the EU and receives IT services from an intragroup company in Madrid, the Madrid entity must also comply. This requirement aims to bring the entire ecosystem of financial service providers to the same operational resilience level, though many organizations are unaware of this inclusion.

2. Beyond Cybersecurity

While cybersecurity is a major focus, DORA also addresses service availability and market risks, including hostile takeovers, business insolvency, and general service loss. Organizations must have continuity plans if a critical service provider goes bankrupt, ensuring legal access to data and scenario testing for these situations, beyond the Red and Purple teaming mandates for cybersecurity compliance.

3. DORA Compliance as a Baseline

Operational resilience regulations like DORA are being adopted globally, including in the US and Singapore. UK organizations should consider global compliance and risk mitigation, as threats in Europe can have worldwide impacts.

4. Innovation Through Compliance

New regulations can drive market growth and innovation, as seen with bans on CFCs in aerosol cans and lead paint. Similarly, DORA and other regulations are part of doing business in the digital age. Embracing these frameworks can enhance trust and innovation in product and service delivery.

The era of "move fast and break things" is over. Companies must integrate security and resilience into their systems by design to maintain growth.

Understanding your supply chain, mitigating risks, and documenting resilience are crucial for proving business continuity. Although this can be daunting, Carbon GRC is here to help.

Carbon GRC’s DORA Readiness Assessment

Carbon GRC offers a comprehensive DORA readiness assessment, providing tools, guidance, and expertise to achieve compliance. From policy and protocol creation to operational testing, reporting, and software resilience, Carbon GRC is your partner for governance, implementation, and risk remediation solutions.

Bilal Khan
Previous

What is the Cyber Resilience Act (CRA)?
Next

Understanding AI's Impact on Privacy: Guidance