DORA is Here: What UK Financial Institutions Need to Know About the EU’s New Cybersecurity Rules

The EU’s Digital Operational Resilience Act (DORA) has arrived, and while it’s an EU regulation, it has significant implications for UK financial institutions, especially those that serve clients in the European Union. DORA, which was introduced in 2023, is now being enforced from today, making it a critical time for businesses to understand their obligations and take proactive steps to ensure compliance. This isn’t just about avoiding penalties; it’s about ensuring the stability and resilience of your operations in an increasingly interconnected financial landscape.

The Digital Operational Resilience Act (DORA) is a comprehensive EU regulation designed to strengthen the information and communication technology (ICT) security of the financial sector. It aims to create a harmonised and robust framework for managing operational risks, ensuring that financial entities can withstand, respond to, and recover from all types of ICT-related disruptions and threats.

DORA focuses on five key areas:

1. ICT Risk Management: Financial institutions are required to have a comprehensive ICT risk management framework in place, including identifying, assessing, mitigating, and monitoring ICT risks.
2. ICT-Related Incident Management: DORA mandates a robust process for managing and reporting ICT-related incidents, including major incidents that must be reported to the relevant authorities.
3. Digital Operational Resilience Testing: Regular testing, including threat-led penetration testing (TLPT) for significant entities, is required to assess the effectiveness of security measures and identify vulnerabilities.
4. Managing of ICT Third-Party Risk: DORA places significant emphasis on managing risks associated with third-party ICT providers, including cloud services. This includes contractual requirements, oversight, and exit strategies.
5. Information Sharing: The regulation encourages the voluntary sharing of cyber threat information and intelligence among financial entities to enhance collective resilience.

Even though the UK is no longer part of the EU, DORA can still impact UK financial institutions in several ways:

• Serving EU Clients: If your UK-based financial institution serves clients in the EU or has operations within the EU, you will likely need to comply with DORA’s requirements for those activities.
• Part of an EU Group: UK entities that are part of a larger group with operations in the EU may need to adhere to DORA as part of group-wide compliance efforts.
• Third-Party Providers to EU Entities: If your UK firm provides ICT services to financial institutions operating in the EU, you may be subject to DORA’s requirements through contractual obligations.
• Equivalence Decisions: The UK may seek equivalence decisions from the EU in certain financial services areas. DORA compliance could become a factor in those decisions.
• Raising the Bar: DORA is setting a new global benchmark for operational resilience. UK firms may find that aligning with DORA’s principles, even if not legally required, is beneficial for their overall security posture and international competitiveness.

For UK IT providers, DORA isn’t just another regulation to worry about; it’s a significant opportunity. If you provide services to financial institutions in the EU, or to UK firms that serve EU clients, DORA compliance is quickly becoming a key differentiator. By understanding and adhering to DORA’s requirements, you can:

• Become a Trusted Partner: Demonstrate to your clients that you take cybersecurity and operational resilience seriously, building trust and strengthening your relationships.
• Win New Business: Financial institutions are actively seeking IT providers that can help them meet their DORA obligations. Highlighting your DORA readiness can give you a competitive edge.
• Expand Your Market: DORA compliance can open doors to new opportunities with EU-based financial institutions and UK firms expanding their European operations.
• Avoid Costly Penalties: Helping your clients achieve compliance means you are indirectly protecting your own business interests.
• Enhance Your Reputation: Being at the forefront of DORA compliance enhances your reputation as a knowledgeable and reliable IT provider in a rapidly evolving regulatory landscape.

Collective Security is ideally positioned to help UK IT providers navigate the complexities of DORA and turn compliance into a business advantage. We can assist you with:

• DORA Readiness Assessments: We’ll evaluate your current security posture and identify any gaps in relation to DORA’s requirements.
• Tailored Security Solutions: We’ll help you implement the necessary security controls and processes to meet DORA’s standards, including robust incident management, third-party risk management, and resilience testing.
• Cyber Essentials and ISO 27001 Certification: Achieving these certifications can provide a strong foundation for your DORA compliance efforts and demonstrate your commitment to security best practices.
• Documentation and Compliance Support: We’ll assist you in developing the necessary documentation to demonstrate your compliance to clients and regulators.
• Ongoing Support: We’ll provide ongoing support to ensure you stay up-to-date with evolving DORA requirements and maintain a strong security posture.

While ISO 27001 certification is a valuable asset for demonstrating a commitment to information security management, it is not sufficient to fully comply with DORA. DORA is more prescriptive and specifically tailored to the operational resilience needs of the financial sector.

Here’s how DORA goes beyond ISO 27001:

• Specific Focus on Operational Resilience: DORA explicitly focuses on maintaining critical operations during disruptions, whereas ISO 27001 is broader in scope.
• Mandatory Incident Reporting: DORA has stricter and more detailed requirements for incident reporting than ISO 27001.
• Third-Party Risk Management: DORA places greater emphasis on managing risks associated with third-party ICT providers.
• Threat-Led Penetration Testing (TLPT): DORA introduces requirements for TLPT for significant entities, which goes beyond the typical scope of ISO 27001.
• Prescriptive Requirements: DORA contains more prescriptive requirements in certain areas compared to the more principle-based approach of ISO 27001.

One of the key requirements under DORA is the need for regular penetration testing. This helps identify vulnerabilities in your ICT systems and assess your ability to withstand cyberattacks. Article 24 of the act states that financial entities captured under the regulation must carry out ‘basic’ penetration testing every year. However, Article 25 goes on to define the requirements for Threat-Led Penetration Testing (TLPT) that larger, more ‘significant’ businesses, identified by the regulator, must carry out every 3 years. It is anticipated that many more businesses will carry out TLPT to meet the requirements of their clients captured by DORA.

Collective Security offers affordable penetration testing services designed to meet DORA’s requirements. We understand that cost can be a barrier for smaller financial firms and IT providers. Our services are tailored to provide thorough testing without the hefty price tag often associated with traditional penetration testing. We can help you:

• Identify Vulnerabilities: Our expert team will simulate real-world attacks to uncover weaknesses in your systems.
• Meet Compliance Obligations: Ensure your testing program aligns with DORA’s requirements.
• Improve Your Security Posture: Receive actionable recommendations to strengthen your defenses.
• Provide assurance: We can provide you with documentation that you can share with your clients, demonstrating your commitment to security.