DORA’s impact for UK Financial companies and Information Computing Technology Providers (ICT): Part two

What is the UK approach?

In response to the evolving cyber threat landscape and in parallel with EU efforts, the UK has been fortifying its own regulatory framework around the digital operational resilience of its financial sector:

Financial Services and Markets Bill (FSMB):

As of 2023, this bill is progressing through Parliament and includes provisions to enhance the operational resilience of the financial sector. This includes measures that would require firms to plan and prepare for severe but plausible operational disruptions.

Bank of England’s Operational Resilience Policy:

This policy, applicable from March 2021, requires financial institutions to be able to deliver critical services during severe operational events, with a deadline by March 2025 to implement these requirements fully. This approach mirrors some of DORA’s aspirations, focusing on continuity and resilience in critical operations.

Network and Information Systems (NIS) Regulations:

While the UK has its version of the EU’s NIS directive, it focuses on improving cybersecurity across various sectors, including essential services like finance. This regulation compels firms to take measures to manage cyber risks and report major incidents.

Future Regulatory Developments:

The UK may introduce further specific legislation or regulatory guidance that aligns with or diverges from DORA, depending on its post-Brexit regulatory strategy and international market pressures.

Again, irrespective of the above companies should not wait to check to check they meet EU guidance. It is prudent to be prepared in advance and ensure that your global customers are aware that you meet operational standards for major trading blocks.

Deadlines

DORA came into entry on the 16th of January 2023. Its requirements are enforceable 24 months after. Therefore, financial entities will be expected to be compliant with DORA by early Jan 2025.

Preparation

Impact on UK Companies: Although DORA is an EU regulation, its influence extends to UK firms that provide financial services or ICT solutions in the EU. These companies must comply with DORA to maintain access to the European market.

Key Preparation Strategies

For EU Companies: Regularly update and enhance ICT risk management frameworks to align with DORA’s stringent standards.

For UK Companies: Assess existing practices against DORA’s requirements, even if operations are UK-based, to ensure competitiveness and readiness for potential UK regulations inspired by DORA.

Incident Reporting Mechanisms

For Both Regions: Establish or update incident reporting systems to ensure quick and efficient communication with regulatory bodies as required under DORA. This system should be robust enough to handle cross-border reporting requirements, a necessity for UK firms operating in the EU.

Operational Resilience Testing

EU Focus: Regularly conduct resilience testing mandated by DORA, including threat-led penetration testing.

UK Focus: Align testing regimes with both UK regulations (such as the Bank of England’s Operational Resilience Policy) and DORA standards to ensure comprehensive coverage.

Third-Party Vendor Management

Joint Considerations: Both UK and EU companies must diligently manage third-party engagements, ensuring that all partners and suppliers meet the required resilience standards. This includes drafting contracts that explicitly address compliance with DORA for EU interactions.

Regulatory Engagement and Compliance Monitoring

For EU Companies: Stay updated with all DORA guidance and updates from the European Supervisory Authorities (ESAs).

For UK Companies: Monitor developments in both UK-specific regulations and DORA, especially post-Brexit regulatory shifts that may affect operational requirements.

Training and Awareness Programs

Across Both Regions: Develop comprehensive training programs to raise awareness about DORA and other relevant regulations among employees. This training should cover everything from daily compliance practices to understanding the broader implications of operational disruptions.

Leveraging Technology for Compliance

Automated Compliance Tools: Invest in technology solutions that automate compliance monitoring and reporting. Such tools can be particularly useful in managing the complexities of adhering to both UK and EU regulations. There are many vendors and systems that you may already use that should be assed to help.

Data Management Solutions: Seems logical when written out but it requires an assessment. Implementing advanced data management and security technologies to protect sensitive information and ensure that it is handled according to both UK and EU standards, facilitating easier compliance with DORA and similar regulations.

Conclusion

For UK financial and technology firms, the key to navigating these requirements lies in understanding both the EU’s and the UK’s evolving regulatory landscapes. Companies must closely monitor legislative developments in both jurisdictions and may need to adapt their operational resilience frameworks to comply with potentially diverging standards.

Keeping abreast of both DORA and UK-specific regulations will be crucial in ensuring that UK-based companies can operate effectively, maintain market access, and meet compliance standards across borders. As always, being prepared even if you think that you are sufficiently covered or you think that are not the right size can occur to any company as seen this summer in the CrowdStrike summer example.

Gunnercooke Operating Partners

As organisations prepare for DORA, it is always helpful to have an external set of eyes and minds review and asses where you think you are in your process. At Gunnercooke, we pride ourselves in having the broadest range of Operating Partners with industry experience from Financial Services, Technology, and all the way through to major Operational Transformation and Board level advisors.  Having led over 100+ improvement projects and 160+ CEO/COO across multiple sectors and industries our national team is ready to assist.

Dan Petrovic is focused on financial technology solutions for global capital markets, including systemic financial markets infrastructure, digital assets, funds, and Web3 data applications. Previously an executive for a top 10 Global Administrator, Custodian and Asset Manager, involved with an EMI start up digital custodian and an investment bank owned digital custodian and has a background in Technology, Product, Enterprise Sales and Business Development