What Are the Implications of the new EU DORA Regulation and Operational Resilience Requirements for financial services companies?

One of the most talked about topics currently in legal, financial services and cyber security circles, Jonathan Armstrong, Partner at Punter Southall Law and expert in compliance and technology law, shares his insights on the implications of DORA for organisations in the EU and beyond.

Jonathan says, "DORA is a regulatory framework designed to strengthen the resilience of the financial sector against digital disruptions.  It applies to banks, insurers, investment firms, and other financial institutions, as well as to key third-party service providers, like cloud computing services.”

“At its core is the recognition that financial systems across the EU are part of each country’s critical national infrastructure. Many financial services organisations rely on a few key services providers, meaning that an incident compromising one of those providers could have a significant effect on financial services across the EU.”

The global IT outage in July caused by cybersecurity firm CrowdStrike[i]  highlights this vulnerability as it was CrowdStrike’s connection to Microsoft’s systems that amplified the reach and impact, demonstrating how interconnected the global infrastructure is.

Jonathan adds, “DORA has caused concern in the financial services, tech and cyber security communities so it’s important for businesses to understand fully their responsibilities. Whilst DORA is an EU measure, operational resilience is high on the agenda for UK financial firms too, with operational resilience requirements introduced in 2022 coming into full effect in March 2025.”

Key Aspects of DORA:

• DORA is designed to consolidate and upgrade Information Communication Technologies (ICT) risk requirements throughout the EU financial services sector to ensure that a very wide range of participants in the sector are subject to a common set of standards to mitigate ICT risks. This includes cyber security risks.
• Given its concentration on supply chain resilience however, it will have an impact much wider than financial services. Specifically, DORA establishes requirements for:
  • Dedicated ICT risk management capabilities
  • Reporting of major ICT-related incidents
  • Digital operational resilience testing
  • Management by financial entities of ICT third-party risk
  • Information sharing among financial entities
• DORA extends its reach beyond the financial services sector and introduces an EU oversight framework for critical ICT providers such as cloud service providers.
• It is important to remember that the main DORA Regulation is binding legislation that is directly applicable in Member States after its entry into force. The DORA Directive will need to be transposed into each Members States’ national law.

Penalties and Personal Liability

• Member States will be responsible for establishing the penalties and remedial measures under DORA, which can apply to both natural and legal persons. Additionally, Member States can apply the penalties or remedial measures of a legal entity to members of its management body and other responsible individuals. Member States may also choose to establish criminal penalties for breaches of DORA.  In this respect DORA mirrors another recent compliance trend with a concentration on personal liability in an effort to reinforce cybersecurity measures.

The UK Operational Resilience Requirements

Whilst DORA does not apply to the UK financial services sector (except those UK entities that are also subject to the EU regime), operational resilience is a key priority for UK regulators and the UK regime is similar with the following key elements:

• Identify ‘important business services’ that could cause ‘intolerable harm’ if disrupted;
• Set an impact tolerance for ‘severe but plausible’ disruptions to each important business service;
• Carry out a mapping exercise (of people, technology, resources and systems), appropriate to the size, scale and complexity of the firm’s business model;
• Carry out scenario testing, i.e. can the firm stay within their impact tolerances for each important business service in the event of a severe but plausible disruption to operations
• Consider lessons learnt from testing or after an operational disruption;
• Develop a strategy for internal and external communications to reduce the anticipated harm caused by operational disruptions;
• Undertake self-assessments, which are approved and regularly reviewed by the board.

The Financial Conduct Authority and Prudential Regulation Authority operational resilience rules came into force 31 March 2022, with a three-year transition period applying until 31 March 2025 when the new UK regime applies in full. During this time there have been fines including for TSB in December 2022 which was fined £48.65m.  TSB’s fine  related to operational risk management and governance failures including management of outsourcing risks relating to the bank’s IT upgrade program. Technical failures in TSB’s IT systems resulted in customers being unable to access banking services. TSB also paid £32.7m in redress to customers, plus TSB’s CIO Carlos Abarca was fined personally[ii].

Next Steps for Businesses

Jonathan Armstrong highlights that any organisation that is in the DORA regime, or provides services to those that are, will need to consider how to meet its responsibilities under DORA. Whilst existing risk management and GDPR systems and processes can help, this is likely to be a significant project for most and will include the following key steps:

• A gap analysis to focus on the work that needs to be done. This could include scope questionnaires for various part of the business.
• Training on operational resilience. Likely to include the IT team, communications professionals and the compliance function.
• Making sure processes and procedures are in place to do horizon scanning and respond promptly to incidents. This is likely to include a review and testing of your incident response process.
• Looking at the board and senior management team’s skills and expertise. In many cases recruitment will be necessary to plug gap.
• For financial services organisations: Working out key dependencies, mapping devices and storage locations etc. and ensuring that compliant contracts are in place with all third party providers.
• For third party providers: Working out which key clients are likely to be in the DORA regime and anticipating the assistance they will need to comply. This could include white papers, FAQs or template responses.
• Working out your regulatory regime. Who key regulators will be and how you will meet your obligations to keep them informed.
• Look at your contracts. Will it be necessary to add a DORA addendum?
• Map critical and important function
• Robust testing of your new processes and the measures you have put in place.

Jonathan concludes, “Financial services firms are required to have in place sound, effective and comprehensive strategies, processes and systems that enable them adequately to comply with the applicable operational resilience requirements. Organisations should seek specialist advice to ensure they fully understand how DORA and the UK rules apply to them.”