By Martin Greenfield, CEO of Quod Orbis
With three months until the Digital Operational Resilience Act (DORA) takes effect in January 2025, the financial services sector’s response remains surprisingly muted. The limited level of preparation for such significant legislation raises concerns, particularly within the UK where DORA is sometimes viewed as an optional framework rather than a binding regulation.
This new regulation warrants careful consideration. While Brexit has created a degree of regulatory separation from the EU, the implications of DORA for UK financial institutions remain significant. Organisations maintaining cross-border operations or serving EU customers will be required to comply with these regulations. The legislation’s scope extends beyond market access to critical operational practices in today’s interconnected financial ecosystem.
The regulation has been structured to establish comprehensive measures for preventing, managing, and recovering from IT-related incidents. These requirements encompass risk identification, resilience testing, and business continuity planning. While the UK financial sector’s existing operational resilience standards are well-established, DORA’s scope introduces additional dimensions that need to be addressed, particularly in third-party risk management and technological infrastructure resilience.
The regulation’s scope extends across five key pillars, yet certain elements warrant prioritisation for organisations seeking to ensure comprehensive compliance. Here’s where leaders need to focus their attention first.
Third-party risk management
One of the most significant aspects of DORA centres around third-party risk management.
Financial institutions are required to certify the security and compliance of their supply chains with unprecedented rigour. This mandate necessitates thorough scrutiny of cyber security practices across the provider network, potentially requiring contractual amendments to facilitate continuous monitoring for cyber threats.
The complexity of this requirement becomes apparent when considering the depth of third-party relationships that may need examination. While the precise extent remains to be clarified, organisations may need to assess up to four or five layers of partnerships within their ecosystem. This third-party focus permeates all DORA pillars, necessitating a sophisticated approach beyond simple compliance checklists. Notably, this aligns with the FCA’s increasing scrutiny of third-party risk management within critical service providers, suggesting a growing convergence between UK and EU regulations.
Extensive reporting requirements
The reporting obligations established by DORA should not be underestimated. Financial institutions are expected to conduct rapid, precise assessments of business operations while maintaining vigilant environmental monitoring. This necessitates the development of robust processes for both continuous monitoring and expeditious reporting.
A notable shift in industry dynamics is being encouraged, whereby financial institutions are expected to move beyond viewing market participants solely as competitors. The sharing of best practices and information regarding attack types and remediation strategies is being positioned as crucial for collective defence enhancement.
Advanced threat testing protocols
DORA introduces elevated standards for Threat-Led Penetration Testing (TLPT), representing a sophisticated evolution in vulnerability assessment. This methodology extends beyond conventional penetration testing, simulating real-world cyber attacks to evaluate an organisation’s comprehensive response capabilities across people, processes, and technologies.
Critical financial entities will be expected to increase the frequency of TLPT to maintain robust cyber defences. This requirement signals a necessary cultural shift, where operational disruption concerns must be balanced against comprehensive system testing requirements.
Tech integration and monitoring
The selection of cyber security tools under DORA requires careful consideration of integration capabilities with existing infrastructure. Poor alignment could potentially create operational vulnerabilities rather than address them. New technology adoption should address current requirements while maintaining compatibility with established frameworks such as GDPR, PSD2, and ISO/IEC 27001.
Continuous monitoring emerges as a crucial orchestration layer, consolidating oversight of the organisation’s ecosystem into a unified framework. This comprehensive monitoring capability becomes essential for maintaining ongoing compliance and operational resilience.
Core assumptions and hidden responsibilities
Several foundational assumptions within DORA warrant careful attention. The regulation presumes the existence of robust risk management frameworks, yet compliance with standards such as ISO27001 may not fully satisfy DORA’s requirements. Similarly, while operational resilience testing is assumed to be integrated into existing processes, organisations must conduct thorough assessments to ensure their current practices meet DORA’s specific expectations.
Looking ahead
While certain technical specifications are yet to be released, the significance of DORA’s impact on operational practices cannot be overlooked. The regulation presents an opportunity for financial institutions to enhance their operational resilience while strengthening their competitive position in the European market.
Organisations that approach DORA systematically, addressing its requirements methodically rather than rushing to meet deadline pressures, will be better positioned to achieve sustainable compliance. The regulation’s comprehensive scope demands careful planning and implementation, with particular attention to third-party relationships, reporting mechanisms, and testing protocols.
For UK financial institutions operating within or connected to EU markets, DORA compliance represents not merely a regulatory obligation but an opportunity to demonstrate operational excellence and risk management capability in an increasingly complex financial ecosystem. The alignment between FCA and EU approaches to operational resilience, particularly regarding third-party risk management and incident reporting, means that organisations can build upon their current compliance frameworks rather than starting anew. This regulatory convergence offers UK institutions an efficient path to maintaining both domestic compliance and EU market access while strengthening their overall operational resilience posture.