UK Financial Services Prepare for January 2025 DORA Implementation

by Alexander Michael, Chief Cloud Strategy Officer, Global BFSI, Rackspace Technology

Hand holding a phone

 

As cyberthreats continue to evolve and intensify, the European Commission has introduced the Digital Operational Resilience Act (DORA) to establish a unified approach to digital resilience across financial institutions. While the UK is no longer part of the European Union (EU), the interconnected nature of global financial markets means UK institutions must align with DORA's requirements.

This alignment is crucial not only for maintaining operational resilience and competitiveness in cross-border operations but also because DORA is expected to impact thousands of UK entities, many of which are facing such standards for the first time. As the January 17, 2025 compliance deadline approaches, UK financial firms and their ICT suppliers serving EU clients or with significant EU operations must pay particular attention to these new regulations.

Navigate the changing regulatory landscape

DORA is set to reshape the regulatory landscape for financial services, with significant implications for UK firms. While the UK has its regulations through the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA), DORA introduces a comprehensive framework that UK regulators may eventually adopt or align with.

UK firms operating in the EU must comply with DORA to maintain their cross-border operations. This means adhering to UK and EU regulations, creating a dual compliance requirement. For these institutions, aligning with DORA is not just advantageous—it's necessary.

Understand key components of DORA

DORA introduces several critical components that UK financial institutions should familiarize themselves with:

  • ICT risk management: DORA requires robust frameworks to identify, assess and manage information and communications technology (ICT) risks. This involves regular risk assessments, implementation of security controls and development of mitigation strategies.
  • Incident reporting: Significant ICT-related incidents must be promptly reported to authorities. Firms must develop efficient systems for reporting within required timeframes and create incident response plans to handle ICT disruptions effectively.
  • Operational resilience testing: Regular tests, including penetration and scenario-based tests, are mandated to ensure resilience. Continuous auditing and reviewing ICT systems are necessary to maintain compliance and resilience.
  • Third-party risk management: Financial firms must ensure that their ICT service providers comply with DORA standards. This involves thorough vendor due diligence and including DORA compliance requirements in contracts with third-party providers.
  • Information sharing: Systems should be in place to share information about cyberthreats and vulnerabilities with other financial entities, fostering a collaborative approach to cybersecurity.

Take steps to achieve compliance

To align with DORA compliance mandates, UK financial institutions should follow these key steps:

  • Conduct a gap analysis: Begin by thoroughly assessing your current ICT risk management practices against DORA requirements. Identify areas of non-compliance and develop a comprehensive plan to address them.
  • Establish clear governance: Create a framework with board-level oversight of ICT risk management. Develop and implement detailed policies on ICT risk management, incident reporting and third-party risks.
  • Enhance ICT risk management: Implement robust processes for identifying, assessing and mitigating ICT risks. This includes regular risk assessments, strengthening security controls and developing effective mitigation strategies.
  • Implement incident reporting mechanisms: Develop efficient systems for reporting ICT incidents to regulatory bodies within required timeframes. Create and regularly update incident response plans to effectively handle ICT disruptions.
  • Conduct regular resilience testing: Implement a program of regular operational resilience tests, including penetration testing and scenario-based exercises. Continuously audit and review ICT systems to maintain compliance and resilience.
  • Manage third-party risks: Thoroughly evaluate third-party ICT service providers to ensure they meet DORA standards. Include DORA compliance requirements in contracts with these providers.
  • Actively engage in information sharing: Participate in information-sharing initiatives with other financial entities to stay informed about emerging threats and best practices.
  • Invest in technology and training: Implement advanced cybersecurity tools to strengthen ICT resilience. Conduct ongoing training and awareness programs for employees on ICT risk management and incident reporting.

Understand who is exempt from DORA

While DORA applies to a wide range of financial entities, certain organizations are exempt. These include alternative investment fund managers, some insurance and reinsurance undertakings, small occupational retirement institutions, and certain insurance intermediaries and micro enterprises (organizations with fewer than 10 employees). However, even exempt organizations should consider voluntary alignment with DORA principles as a best practice for operational resilience.

Recognize the consequences of non-compliance

Non-compliance with DORA can result in severe consequences for UK financial institutions, particularly those operating in or servicing EU markets. These may include limited access to EU markets, substantial financial penalties from EU regulators, and operational restrictions impacting business continuity. UK firms might also face increased scrutiny from domestic regulators like the FCA or PRA, as UK standards may align with DORA.

Non-compliance can lead to reputational damage, loss of clients or partners, and competitive disadvantages in cross-border operations. Additionally, firms may expose themselves to operational risks that DORA aims to mitigate. Given these risks, UK financial services providers should view DORA compliance as a critical investment in their operational resilience, cybersecurity, and long-term success in EU and global markets.

Embrace DORA as a competitive advantage

While achieving DORA compliance may seem daunting, it presents an opportunity for UK financial institutions to strengthen their operational resilience and gain a competitive edge. By aligning with DORA standards, UK firms can:

  • Build trust with EU partners and clients, facilitating smoother cross-border operations.
  • Enhance their overall cybersecurity posture, reducing the risk of costly breaches and operational disruptions.
  • Demonstrate leadership in adopting global best practices for digital operational resilience.

UK firms can transform this regulatory challenge into a strategic advantage by taking a proactive approach to DORA. They can improve risk management processes and potentially expand market access. Working with experienced partners like Rackspace Technology® can help navigate the regulatory complexities while boosting ICT resilience.

As the January deadline approaches, UK financial firms — especially those with significant EU operations — should view DORA compliance as a critical investment for their continued competitiveness in an increasingly interconnected financial landscape.

Start your DORA compliance journey today to help secure your financial institution's future.