Posted by on | Featured

Understanding the Digital Operational Resilience Act (DORA)

A Guide for UK Businesses

The Digital Operational Resilience Act (DORA) is a landmark regulation introduced by the European Union (EU) to bolster the cyber security and operational resilience of the financial sector.

Despite DORA coming into effect as of 17th January 2025, little is still known about the new regulation and who it applies to. In this blog we cover what UK businesses and organisations need to know about DORA, its implications, and how to prepare.

What is DORA?

DORA is an EU regulation that aims to ensure financial institutions, and their critical ICT (Information and Communications Technology) providers can withstand, respond to, and recover from ICT-related disruptions.

It establishes uniform requirements for managing ICT risks, operational resilience, and incident reporting across the EU financial sector.

Key components of DORA include:

     • ICT risk management frameworks

     • Comprehensive incident reporting mechanisms

     • Regular operational resilience testing

Oversight of third-party ICT providers For more details, visit the European Insurance and Occupational Pensions Authority (EIOPA) for an overview of DORA.

Who Does DORA Apply to?

DORA applies to a wide range of financial entities and their critical third-party ICT service providers operating in the EU. These include:

     • Banks, payment service providers, and investment firms.

     • Insurance and reinsurance companies.

     • Cryptocurrency service providers.

     • Critical third-party ICT providers offering services like cloud computing, data analytics, and cyber security solutions.

For UK-based businesses, DORA applies if:

     • You provide financial services or ICT solutions to EU-based clients.

     • You are a critical ICT service provider for EU financial institutions.

What Does DORA Mean for UK Businesses and Organisations?

Even post-Brexit, UK companies working with EU clients must comply with DORA to maintain business relationships. Here’s how it affects your organisation:

Enhanced Cyber Security Requirements

  • Implement robust ICT risk management frameworks to safeguard against disruptions and cyber threats.
  • Ensure the confidentiality, integrity, and availability of critical data and systems.

Incident Reporting Obligations

  • Develop mechanisms to detect, report, and manage ICT-related incidents that could impact EU clients.
  • Timely reporting to EU financial institutions and, in some cases, EU regulatory authorities is mandatory.

Operational Resilience Testing

  • Conduct regular testing, including advanced techniques like threat-led penetration testing (TLPT), to assess your resilience.

Third-Party Risk Management

  • Ensure contracts with EU clients align with DORA’s requirements for security and operational resilience.
  • Prepare for audits and performance reviews by EU financial entities.

Governance and Accountability

  • Designate roles or teams responsible for ICT risk management and resilience.
  • Maintain clear documentation and transparency to demonstrate compliance.

To better understand how DORA might impact ICT service providers, consider the CSO Online analysis on DORA and the cyber security skills gap.

DORA Penalties for Non-Compliance

Non-compliance with DORA can lead to severe consequences, including:

Fines and Financial Penalties

EU regulators may impose significant fines on organisations failing to meet DORA’s requirements. For financial entities, fines can reach up to 2% of their total annual worldwide turnover, and individuals may face fines up to €1,000,000. Critical third-party ICT providers could face fines as high as €5,000,000 or €500,000 for individuals. [Source: Grant Thornton]

Operational Restrictions

Critical ICT providers may face restrictions on their activities or lose contracts with EU clients if found non-compliant.

Reputational Damage

Publicised non-compliance can harm an organisation’s reputation, impacting client trust and future business opportunities.

Compliance is not only a regulatory requirement but also essential for maintaining trust and resilience in an interconnected financial ecosystem.

Guidance and Recommendations for Businesses and Organisations Affected by DORA

To stay compliant and competitive in the EU market, consider these steps:

1) Evaluate Your Exposure to DORA

Assess whether your organisation provides services to EU financial institutions or acts as a critical third-party ICT provider.

2) Strengthen ICT Risk Management

Review and update your cyber security policies, incident response plans, and resilience testing protocols.

Utilise a Managed Detection and Response solution, such as Sophos MDR, to monitor and protect your systems 24/7.

Leverage tools like encryption, access controls, and threat detection systems.

3) Engage in Regular Testing

Schedule operational resilience testing, including penetration testing, to identify vulnerabilities and improve response strategies.

Utilise threat detection systems for continuous threat and attack surface monitoring between scheduled penetration tests.

4) Update Contracts and Agreements

Align your service agreements with EU clients to reflect DORA-specific terms, including transparency on risk management and incident handling.

5) Monitor Regulatory Developments

Stay informed about DORA’s implementation timelines and guidance issued by EU authorities.

6) Seek Expert Advice

Collaborate with legal, regulatory, and cyber security experts to ensure compliance and address potential gaps.

10 Steps to Cyber Security

Incident Management with Sophos

Jonathon Hope, Senior Technology Evangelist at Sophos, deep dives into incident management and how organisations can better prepare for cyber incidents.

Conclusion

DORA presents both challenges and opportunities for UK businesses serving EU clients. By proactively adopting its principles, organisations can enhance their cyber security posture, demonstrate operational resilience, and build stronger relationships with EU-based partners. Compliance with DORA is not just a regulatory necessity—it’s a competitive advantage in today’s interconnected financial ecosystem.

Detect. Protect. Support.

Free Posture Assessment

Understand your security risks and how to fix them.

Take the first step to improving your cyber security posture, looking at ten key areas you and your organisation should focus on, backed by NCSC guidance.

Claim your free 30-minute guided posture assessment with a CyberLab expert.

Comments are closed.