Skip to content

EU DORA v UK Operational Resilience

DORA

17 January 2025 - that's the deadline date for implementation of Digital Operational Resilience Act (DORA).

The Scope - As a European regulation, it's scope is universal and mandatory. It applies to a broad range of firms, including payment and electronic money institutions.

The Aim - is to strengthen the resilience of the financial services sector to cyber threats and operational disruptions. It forms part of a broader effort to ensure that financial institutions can withstand, respond to, and recover from disruptions to their operations, particularly those stemming from cybersecurity incidents or technological failures.

The General Provisions - will include key areas of focus, such as Governance, ICT risk management, operational resilience, third-party risk, incident management and reporting.

Operational Resilience

March 2025 - Although it came into effect in March 2022, firms have until this date to fully test their tolerance levels and be prepared.

The Scope - A UK regulation that applies to all regulated firms and critical third-party providers., including payment and electronic money institutions.

The Aim - is to ensure firms can withstand, respond to, and recover from operational disruptions (e.g., cyber-attacks, system failures, pandemics). It aims to protect consumers and markets, and encourage proactive management of risks that could compromise the delivery of key services.

The General Provisions - includes, the identification of Important Business Services (IBS), setting impact tolerances, scenario testing, dependencies, communication plans, third-party oversight, board accountability, and lessons learned.

 

The Comparisons

Objective: Both share the same objective of aiming to enhance operational stability.

Scope: Both cover financial institutions and their critical third parties. Both place significant emphasis on third-party oversight, and senior management accountability.

The Contrast

Geographical Jurisdiction: DORA is an EU regulation aimed at harmonising digital operational resilience across all EU member states. The UK's Operational Resilience framework applies only to UK regulated firms.

Focus on Digital Risks: DORA has a stronger emphasis on digital risks and cyber security. Operational Resilience covers broader operational risks, including non-digital disruptions like physical infrastructure failures or natural disasters.

ICT Risk Management: DORA introduces stricter and more detailed ICT risk management and incident reporting requirements compared to the UK framework, with a specific focus on improving the cyber resilience of financial institutions and their technology providers.

Incident Reporting: DORA mandates standardised incident reporting across the EU to help detect, mitigate, and prevent future operational issues. The UK’s framework, while requiring incident reporting, does not impose the same degree of standardisation across firms.

 

The Message

Firms operating in the UK must comply with Operational Resilience regulations, and those operating in the UK and the EU must comply with both DORA and the UK’s Operational Resilience regulations.

Actions include:

  • Undertaking a Comprehensive Risk Assessment
  • Implementing Robust Resilience Strategies
  • Enhancing third-party Risk Management
  • Ensuring Board Accountability

The Consequences of Non-Compliance

The consequences of non-compliance, I'm sure don't need to be spelled out. Financial, reputational, and legal liability, are just a few.

 

How Can Thistle Initiatives Help

  • Consultations and Advisory Services
  • Risk Management Framework Development - through our new Tech Enabled Platform
  • Scenario Testing
  • Due Diligence and Third-Party Risk Assessment
  • Board Training and Support.
  • Policy Development
  • Ongoing Compliance Monitoring
  • Knowledge Sharing and Best Practice Insights.

Don't leave it too late. Time has a habit of creeping up on us.