If someone on your team asked, “Does DORA apply to the UK?” would you have to think for a moment before responding?
You might quickly answer, “Of course not”. And you would be (half) right. The UK is not in the EU, so DORA does not apply to UK businesses specifically.
However, because DORA coverage impacts anyone transacting with EU customers (and not just businesses based in the EU), any UK financial services industry (FSI) firm that works with EU customers or does business with EU FSI firms is likely to be covered by DORA.
This means that tens of thousands of UK financial businesses (with EU customers) will need to be DORA compliant.
So the correct answer to “Does DORA apply to the UK?” is: “Sometimes no, often yes.”
To make the DORA/UK question a bit less complex, SECFORCE’s compliance experts reviewed the DORA legislation in detail.
In this blog post, we show you what you need to know about DORA’s interaction with UK legislation.
DORA Regulation UK: 7 Things to Know
We think there are seven core facts that UK businesses need to know about DORA right now.
DORA is not a UK regulation, but it applies to many UK businesses
The Digital Operational Resilience Act (DORA) is an EU regulation that comes into force in January 2025.
DORA is a (very) wide-ranging regulation. It will cover many smaller businesses that so far have avoided the kind of regulatory scrutiny that DORA will put them under.
If you are a) An EU-facing (i.e., you have EU-based customers or clients) UK bank, investment firm, fintech firm or financial entity of more or less any kind (see a full list of the 20 different impacted business types in the regulation itself) or b) Your business offers critical ICT services to EU financial entities, then DORA impacts you.
DORA has five pillars
UK businesses should know that DORA has five interlinked “pillars” that detail the kinds of capabilities affected organisations need to have to resist and report cyber-attacks.
We cover these DORA pillars in more detail in another blog.
To sum it up, covered UK businesses will need to (in no particular order):
- Establish robust ICT risk management frameworks.
- Share threat intelligence with other FSI firms.
- Manage ICT third-party risks.
- Conduct regular digital operational resilience testing.
- Comply with strict incident reporting guidelines.
DORA overlaps with some existing UK regulations but does not align fully (yet!)
DORA overlaps with existing UK operational resilience frameworks like the Financial Conduct Authority’s (FCA) PS21/3. Eventually, these two regulations may overlap, meaning that complying with the requirements of one will guarantee an automatic pass for the other.
To learn more about how the UK is approaching DORA standards, check out the current consultation process from the FCA around third-party risks.
For now, though, DORA alignment with your existing compliance program is not certain or likely.
While some firms may be able to build on their existing scenario testing, dependency mapping, and important business service identification work, DORA compliance will still mean extra work.
Critically, DORA also covers a far wider range of businesses than FCA. For example, DORA covers crypto assets and crowdfunding companies that the FCA does not currently cover. This widens the net for compliance.
In our opinion, the best thing that UK firms can do in this situation is to take a “highest common denominator” approach towards complying with all current and near-future legislations like DORA.
Make DORA the benchmark for your third-party risk mitigation efforts, and your other compliance requirements will be a piece of cake.
You can receive a DORA penalty as a UK business
It doesn't matter where your organisation’s HQ is. As long as you operate in the EU, you can receive a DORA fine. And DORA fines are steep.
For UK businesses, a DORA fine could be as much as 1% of your daily global turnover for up to six months.
We can say that, based on past experience with other regulations like the General Data Protection Regulation (GDPR) and the EU’s aggressive attitude towards cybersecurity, it's likely that DORA fines will a) be enforced and b) increase with time.
Receiving a DORA fine will also damage your ability to access the EU market and your business reputation. After a 2015 data breach left them subject to a fine from the ICO, the UK broadband provider TalkTalk suffered a 50% reduction in profits the following year.
DORA might change your contracts with EU entities
A core focus of DORA is to build resilience into contracts.
DORA requires financial entities to actively monitor risks arising from their use of ICT third-party service providers throughout the lifecycle of the contractual relationship.
In practice, this means assessing concentration risks for all contracts supporting Critical or Important Functions (CIFs).
Many contracts will need to be revisited to ensure that they allow financial entities to keep their services online if a primary contractor (including a cloud hosting service) cannot function for whatever reason.
Also, if your UK business is a critical third-party ICT service provider (CTTP) to EU clients, you might need to sign up for more new service level agreements (SLAs).
As an example, Google Cloud has produced a useful guide showing how their service maps onto DORA. You can check it out here.
Critical ICT service providers have unique requirements
Critical ICT service providers have special requirements under DORA.
You can be designated a critical ICT service provider based on a few factors that boil down to your importance to a financial entity's business continuity.
If your operations shut down (for example, due to a cyber attack), would a financial entity:
- Find it difficult to provide services to its customers?
- Have a hard time replacing you?
- Face a risk that might impact other FSI operators?
- Have difficulty performing critical or important functions?
If you tick any of the above, you might be classified as a critical ICT service provider by a European banking authority.
The result is that you will have more stringent reporting and testing requirements.
You might need a DORA consultant
The exact compliance requirements for DORA are going to keep changing. Your own compliance pathway will be different from your peers, too.
But one thing is going to stay 100% consistent across every impacted UK entity - you will need to do a gap analysis.
A DORA consultant can provide a massive benefit to your gap analysis efforts. A consultant can take a third-party look at your current processes, match them to DORA’s evolving requirements and plot an actionable pathway for your compliance team to follow.
Learn more about the advantages of hiring a DORA consultant
This can save you a large amount of time, cut uncertainty, and dramatically reduce the risk DORA compliance creates.
Secforce Is Ready to Help UK businesses ace DORA
SECFORCE has extensive experience helping UK financial service entities and businesses serving the UK FSI build resilience, test their systems, and navigate compliance journeys like the ones they will encounter with DORA.
If you are a UK business that wants help with your DORA compliance efforts, contact us.
