A Guide for UK Businesses
The Digital Operational Resilience Act (DORA) is a landmark regulation introduced by the European Union (EU) to bolster the cyber security and operational resilience of the financial sector.
Despite DORA coming into effect as of 17th January 2025, little is still known about the new regulation and who it applies to. In this blog we cover what UK businesses and organisations need to know about DORA, its implications, and how to prepare.
What is DORA?
DORA is an EU regulation that aims to ensure financial institutions, and their critical ICT (Information and Communications Technology) providers can withstand, respond to, and recover from ICT-related disruptions.
It establishes uniform requirements for managing ICT risks, operational resilience, and incident reporting across the EU financial sector.
Key components of DORA include:
• ICT risk management frameworks
• Comprehensive incident reporting mechanisms
• Regular operational resilience testing
•Oversight of third-party ICT providers
For more details, visit the European Insurance and Occupational Pensions Authority (EIOPA) for an overview of DORA.
Who Does DORA Apply to?
DORA applies to a wide range of financial entities and their critical third-party ICT service providers operating in the EU. These include:
• Banks, payment service providers, and investment firms.
• Insurance and reinsurance companies.
• Cryptocurrency service providers.
• Critical third-party ICT providers offering services like cloud computing, data analytics, and cyber security solutions.
For UK-based businesses, DORA applies if:
• You provide financial services or ICT solutions to EU-based clients.
• You are a critical ICT service provider for EU financial institutions.
What Does DORA Mean for UK Businesses and Organisations?
Even post-Brexit, UK companies working with EU clients must comply with DORA to maintain business relationships. Here’s how it affects your organisation:
Enhanced Cyber Security Requirements
- Implement robust ICT risk management frameworks to safeguard against disruptions and cyber threats.
- Ensure the confidentiality, integrity, and availability of critical data and systems.
Incident Reporting Obligations
- Develop mechanisms to detect, report, and manage ICT-related incidents that could impact EU clients.
- Timely reporting to EU financial institutions and, in some cases, EU regulatory authorities is mandatory.
Operational Resilience Testing
- Conduct regular testing, including advanced techniques like threat-led penetration testing (TLPT), to assess your resilience.
Third-Party Risk Management
- Ensure contracts with EU clients align with DORA’s requirements for security and operational resilience.
- Prepare for audits and performance reviews by EU financial entities.
Governance and Accountability
- Designate roles or teams responsible for ICT risk management and resilience.
- Maintain clear documentation and transparency to demonstrate compliance.
To better understand how DORA might impact ICT service providers, consider the CSO Online analysis on DORA and the cyber security skills gap.
DORA Penalties for Non-Compliance
Non-compliance with DORA can lead to severe consequences, including:
Fines and Financial Penalties
EU regulators may impose significant fines on organisations failing to meet DORA’s requirements. For financial entities, fines can reach up to 2% of their total annual worldwide turnover, and individuals may face fines up to €1,000,000. Critical third-party ICT providers could face fines as high as €5,000,000 or €500,000 for individuals. [Source: Grant Thornton]
Operational Restrictions
Critical ICT providers may face restrictions on their activities or lose contracts with EU clients if found non-compliant.
Reputational Damage
Publicised non-compliance can harm an organisation’s reputation, impacting client trust and future business opportunities.
Compliance is not only a regulatory requirement but also essential for maintaining trust and resilience in an interconnected financial ecosystem.
Guidance and Recommendations for Businesses and Organisations Affected by DORA
To stay compliant and competitive in the EU market, consider these steps:
1) Evaluate Your Exposure to DORA
Assess whether your organisation provides services to EU financial institutions or acts as a critical third-party ICT provider.
2) Strengthen ICT Risk Management
Review and update your cyber security policies, incident response plans, and resilience testing protocols.
Utilise a Managed Detection and Response solution, such as Sophos MDR, to monitor and protect your systems 24/7.
Leverage tools like encryption, access controls, and threat detection systems.
3) Engage in Regular Testing
Schedule operational resilience testing, including penetration testing, to identify vulnerabilities and improve response strategies.
Utilise threat detection systems for continuous threat and attack surface monitoring between scheduled penetration tests.
4) Update Contracts and Agreements
Align your service agreements with EU clients to reflect DORA-specific terms, including transparency on risk management and incident handling.
5) Monitor Regulatory Developments
Stay informed about DORA’s implementation timelines and guidance issued by EU authorities.
6) Seek Expert Advice
Collaborate with legal, regulatory, and cyber security experts to ensure compliance and address potential gaps.
10 Steps to Cyber Security
Incident Management with Sophos
Jonathon Hope, Senior Technology Evangelist at Sophos, deep dives into incident management and how organisations can better prepare for cyber incidents.
Conclusion
DORA presents both challenges and opportunities for UK businesses serving EU clients. By proactively adopting its principles, organisations can enhance their cyber security posture, demonstrate operational resilience, and build stronger relationships with EU-based partners. Compliance with DORA is not just a regulatory necessity—it’s a competitive advantage in today’s interconnected financial ecosystem.
