DORA’s impact for UK Financial companies and Information Computing Technology Providers (ICT): Part one

Vital to know

DORA will apply from 17th January 2025

It is directly applicable to financial sector entities listed in Article 2 (1) (a)-(t) of DORA. This includes almost all types of financial entities (level one application).

In relation to ICT third-party service providers (“ICT Providers”), there are two ways for how DORA will apply (level two application).

• directly in relation to critical ICT Providers when it comes to designation and oversight of such pursuant to DORA, and
• indirectly to all ICT Providers since ICT Providers will need to adjust their organisations, provision of the ICT services and the contractual agreements in relation to such services to the requirements in DORA, when providing such services to financial entities.

ICT companies should look first to understand the customers that they have and based on that what they may need to included or adapted into agreements, operational procedures internally to comply with the requirements by the deadline.

What is it?

DORA (Digital Operational Resilience Act) is a proposed directive that captures UK firms operating in the EU that is mandated by the EU. Simply put, it its aim is to ensure companies are fully prepared and can mitigate critical ICT outages. Its purpose is to strengthen resilience of financial entities and ICT providers against digital disruptions and cyber threats. The recent CrowdStrike outage experienced over this summer has put a renewed focus on Operational Resilience and is a perfect example of an outage that stranded travellers due to a software update that required additional preparation by the ICT providers prior to this planned update.

Why is DORA relevant?

Although leading firms may have various measures in place and good progress is being made by growing number of companies.

Company Boards will be responsible to ensure frameworks and regular testing is in place and will be answerable and face penalties if found to have not acted accordingly within them.

The purpose is to make sure financial services companies have and identify their own frameworks for Enhanced Cybersecurity and that reporting Harmonized Regulations in the EU would allow preparedness, management and testing to be better prepared for issues like the one outlined above and ideally mitigate them altogether. Boards should understand and measure what gaps might exist even if they assume they have taken steps to meet standards.

Does it apply to me in the UK?

Yes. Although leading firms in the UK Financial Services sector may already have measures in place to capture financial soundness from the FCA and the Bank of England’s Operational Policy. However, there are likely to be some divergences and may trigger additional requirements that need to be addressed between the EU and UK should you have EU clients or business. Existing programmes that organisations have been running (e.g. Operational Resilience, Third Party Risk Management, Technology Risk Remediation, Cloud Transformation and Cyber Transformation) should be the starting point for gap analysis. It is important that boards review of these should help companies reshape programmes to ensure they meet both standards. Simple gap analysis internally, using a software vendor and or an external company may help understand the gap left to meet.

But in addition to the significant changes for entities above already caught by ESMA or EIOPA supervision, like banks. The big change is DORAs extending scope to include other stakeholders in the financial sector, which so far have not been subject to extensive ICT security regulation, e.g. crypto-asset service providers, intermediaries’ managers of alternative investment funds, crowdfunding service providers, cloud-service providers and ICT third-party service providers.

The strong focus is on third party risk management. Entities will be expected to satisfy themselves of a third party’s resilience which will require close interaction and joint efforts with their critical ICT third-party service providers, especially where they support the delivery of an important business service. DORA also requires that several contractual obligations be inserted into the contracts of the financial entities for procuring ICT services and products.

This will apply to existing in-scope contracts, which will need to be collated, reviewed and amended to ensure compliance, and any new in-scope contracts will also need to include such obligations.

Operational Resilience regulation and DORA seeks to drive specific and often complementary outcomes. As a result, common elements exist between the UK Operational Resilience regulation and DORA. Some examples are outlined below:

Identification of Important Business Services (IBSs): UK firms should already know what their most important business services are, and since DORA mandates an understanding of your critical or important functions supported by ICT then this can take firms some way to addressing this requirement.

Mapping of dependencies: Since firms’ Important business services are likely to depend on a number of ICT services, either provided internally to your firm or by third parties, then the mapping undertaken for operational resilience is likely to already capture some of this information.

Scenario testing: DORA puts in place specific requirements for ICT services, however your firm’s defined testing approach for demonstrating resilience could assist in informing a DORA testing programme.

It will also be important to consider how the ongoing sustainability of your approach to Operational Resilience will be delivered as there may be opportunities for tools or technology platforms to be leveraged for the purposes of DORA too.

The full DORA regulation does however need to be understood by individual firms to allow determination of where their existing Operational Resilience journey can fulfil specific requirements. Even if you believe you have it covered, the process should include an element of regular and or on demand checks and monitoring to ensure high standards are met.