Five Pillars of DORA

An EU and UK compliance requirement

The European Union’s (EU) Digital Operational Resilience Act (DORA), effective from January 2025, is set to bolster the operational resilience of financial firms and IT third-party service providers in the EU. Operational resilience is defined as the ability of a system to absorb, adapt or recover from an event that compromises mission-critical functions.

Given that the UK is no longer part of the EU, the UK is not obliged to align with EU regulations. However, maintaining compliance with DORA is essential for UK firms maintaining legal operational ties with the EU through branches, partnerships or direct market activities. UK-based financial entities must, if they haven’t already, determine if they fall under DORA, based on factors like their financial activities and operational locations. For example, a UK bank with operations in the EU would need to adhere to DORA’s requirements in order to operate in the EU market. Failure to achieve compliance can incur hefty fines, with fines amounting to 1% of average daily global turnover if obligations are breached. The reputational consequences of not achieving DORA compliance should also be factored into the costs.

As a result, many UK financial firms will be fighting to achieve operational resilience compliance on two fronts. Operational resilience is not exactly a new concept for UK financial firms, who have been subject to their own operational resiliency regulations from the Prudential Regulatory Authority (PRA), Financial Conduct Authority (FCA) and Bank of England (BoE) since March 2022. In fact, the UK operational resilience and DORA frameworks exhibit several differences and similarities, as the table below shows:

Source: GreySpark

As the table suggests, the DORA requirements are more rigid in nature and UK firms will have to take on a more structured approach to achieving compliance than they are used to in the UK. A key difference between the EU and UK operational resilience regulatory frameworks is the emphasis placed on mitigating ICT risks and disruptions, with DORA taking a more stringent approach toward ICT service providers than the UK.

This stance means that some UK financial firms will have to achieve the five pillars of DORA requirements, which are outlined below:

1. ICT Risk Management - Financial firms will be required to create and follow an ICT risk management framework that supports a business continuity strategy, disaster recovery policies, and communication strategies (i..e, between management and stakeholders). The management team of a financial firm is required to define, approve and be accountable for the implementation and management of ICT-related risk frameworks. All sources of ICT risk should be continuously identified, with ICT systems set up so that the impact of ICT risks are minimised as much as possible.

2. ICT-related Incident Reporting - Financial firms are required to implement a management process to monitor and log ICT-related incidents in rapid time. The incidents must be classified and reported using a common template approved by regulators. Under DORA requirements, an incident should be reported within four hours of classification or no later than 24 hours from the time of detection.

3. Digital Operational Resilience Testing - One of DORA’s requirements is for in-scope firms to perform digital operational resilience testing. This involves running simulations of a physical environment in a virtual environment using real-time data. Due to the requirement for firms to carry out business impact analyses based on ‘severe business disruption’ and increasingly complex scenarios, supervisory pressure on firms to develop more sophisticated scenario testing methods is likely to be increased. Financial firms must establish their own procedures to prioritise, classify and remedy all and any issues or deficiencies revealed through the performance of the tests. GreySpark’s opinion is that achieving the appropriate level of scenario testing sophistication and precision required under the terms of DORA is likely to only be possible using AI technology and more specifically, digital twin technology. You can find out more about this here.

4. ICT Third-party Risk - DORA emphasises rigorous third-party risk management, demanding careful vetting and ongoing monitoring of the cyber practices of external providers. In particular, financial firms must ensure that contracts with ICT third-parties contain full visibility, such as an indication of what location sensitive data is being stored in. Arrangements with third-parties should cover important functions, such as data protection, audits and incident management. Firms must also map out all of their third-party dependencies. European regulators will monitor the compliance of critical ICT third-parties through both on-site and off-site inspections.

5. Information Sharing - DORA encourages collaboration between in-scope financial firms in order to enhance the digital operational resilience of firms, raise awareness on ICT risks, minimise the risk of market contagion stemming from an ICT disaster and identify cyber threats.

With the DORA deadline less than a year away, it is vital that financial firms in the EU and UK consider the regulatory requirements of DORA and how best to prepare for them in the time remaining.