Aug 17 / Paul C Dwyer

Understanding DORA: What UK Financial Entities Need to Know

Understanding DORA: What UK Financial Entities Need to Know

Aug 17 / Paul C Dwyer

The Digital Operational Resilience Act (DORA) has recently emerged as a pivotal regulation for the European financial sector. Specifically focusing on Information Communication Technology (ICT) and cyber resilience, DORA aims to bolster the sector's digital resilience. This article delves deep into the UK's perspective on DORA and highlights essential considerations for the financial sector in the UK and Europe.

1. Scope of DORA:
DORA extends its wings over a wide array of subjects pertinent to Financial Services firms across the EU and the UK. Unlike the extant UK operational resilience regulations, DORA provides more granular directives around ICT and cyber resilience.

2. Identifying Applicability:
It's crucial for UK-based financial entities to swiftly ascertain if they come under the ambit of DORA. This depends on multiple factors including the range of financial market activities they undertake and their operational locations.

3. The Dual Nature of DORA – Challenges and Opportunities:
While certain aspects of DORA might ring a bell for some entities – like operational resilience testing around ICT, threat intelligence, and third-party risk management – they warrant meticulous attention and scrutiny.

4. The Need for Alignment:
To ensure seamless compliance, UK firms should strive to harmonise DORA with other internal programs. Engaging in gap analyses and maturity assessments will be pivotal to discern and address any additional mandates. More insights on this can be garnered at Cyberprism.

5. EU-wide Standardization:
DORA ushers in both a challenge and an opportunity by mandating financial firms to maintain a consistent maturity level of ICT and cyber resilience throughout their EU operations.

6. The Preparation Window:
Entities have a two-year window to get their house in order. Comprehensive gap assessments are essential within this period to spotlight areas that need investment and focus. Notably, the 16th of January 2025 stands out as a crucial date. To delve deeper into this, visit Cyberprism.

7. Regulatory Expansion:
DORA broadens its reach, encapsulating various financial sector stakeholders who previously were spared from stringent ICT security regulations. Keeping abreast with these changes is essential and platforms like DoraTraining can be instrumental.

8. Spotlight on Third-Party Risk Management:
Entities need to foster close relationships with their pivotal ICT third-party service providers. Ensuring the resilience of these partners is of utmost importance.

9. Synergy with Existing Protocols:
There's a harmonious interplay between operational resilience regulations and DORA. Elements such as identification of vital business services, mapping dependencies, and scenario testing under existing resilience strategies can provide valuable insights for a DORA testing regimen.

10. New Directives for ICT Service Providers:
'Critical' ICT service providers face novel regulations under DORA, placing them under the lens of direct regulatory examination. This could usher in contractual shifts to align with DORA's stipulations.

In summation, DORA heralds a paradigm shift in regulatory frameworks. It's a clarion call for UK financial entities and ICT service providers to be attentive, aligned, and prepared. As the sector navigates these new waters, opportunities beckon for those who adapt and evolve. Immediate action is not just advisable, but paramount.

Stay informed and begin your DORA Compliance Assessment journey at Cyberprism and DoraTraining. #cyber #DORA
Paul C Dwyer is the ICTTF President, recognised as one of the world’s foremost experts on cyber security, risk and privacy.
Write your awesome label here.