UK firms with business activities within EU jurisdiction need to act quickly to ensure they comply with new EU DORA regulations by the deadline of 17 January 2025. As the Digital Operational Resilience Act (DORA) is a regulation, not a directive, it is binding and applicable in all EU member states and to UK financial entities operating across EU borders, irrespective of their size or complexity.
The Act is an acknowledgement by the EU that ICT incidents and a lack of operational resilience have the potential to jeopardise the entire financial system. The aim of the regulations is therefore to ensure all participants in the finance market, (including banks, insurance, and investment firms) are able to maintain operations when threatened by IT or cyber-security issues by creating a standardised approach to risk.
The Bank of England, in conjunction with HM Treasury and the Financial Conduct Authority already expects UK firms to ‘have robust plans in place to deliver essential services’ in the face of ‘cyber-attacks, IT outages and third-party system failure’. However, the DORA regulations necessary for UK financial organisations acting in the EU are more wide-ranging and prescriptive, and cover 5 key areas: ICT risk management, reporting on ICT-related incidents, digital operational resilience testing, management of third-party risk, and information and intelligence sharing. Institutions who have already fulfilled UK guidance will find this useful preparation for meeting the more rigorous DORA regulations.
Penalties for failing to comply with the DORA will vary depending on the circumstances and the severity of the infringement. These range from customary penalties, such as awarding customers with compensation, to more severe sanctions such as fines of up to 10 million euros or 2% of an organisation’s annual turnover, (whichever is higher) for serious infringements.
Although DORA presents a challenge, it also provides an opportunity for financial organisations to build trust and strengthen their performance where it impacts most on consumer preference. A 2023 article by Financial IT magazine explained how today’s customers ‘expect seamless, around-the-clock availability from any bank they engage with, and even the slightest moment of downtime can result in their departure, especially when personal finances are implicated’.
As DORA brings provisions for addressing digital risk in finance together in a single legislative act for the first time, it aims to reduce regulatory complexity. This should limit compliance costs long-term, especially for financial entities operating across European borders.
Read about solutions to the technical challenges DORA presents in our latest blog post.