Navigating ICT Compliance: EU DORA vs. UK Operational Resilience Regulation

Digital Operational Resilience Act, EU

Operational Resilience Regulation, UK

Who has to comply

• Banks and Credit Institutions

• Investment Firms

• Payment Institutions

• Asset Management Companies (including UCITS and AIFMs)

• Crypto-Asset Service Providers

• Payment and E-money Institutions

• Crowdfunding Service Providers

• Central Securities Depositories

• Central Counterparties

• Insurance and Reinsurance Companies

• Trading Venues

• Banks 

• Building societies 

• PRA-designated investment firms 

• Insurers 

• Recognised Investment Exchanges 

• Enhanced scope Senior Managers

• Certification Regime firms and entities authorised and registered under the Payment Services Regulations 2017 and Electronic Money Regulations 2011.

Goal and Coverage

• The regulation aims to strengthen the digital operational resilience of financial entities. Its primary objective is to ensure that these entities can withstand, respond to, and recover from ICT-related disruptions, such as cyberattacks, system failures, and data breaches.

• It establishes a unified regulatory framework for managing ICT risks, enhancing the security and stability of the financial system, and ensuring that both financial institutions and their third-party ICT service providers are better prepared for digital threats.

• It has a broader focus than DORA, encompassing the resilience of critical business services, with a strong emphasis on ensuring that firms can continue to provide these services even during disruptions.

• The UK’s approach is not limited to digital resilience but looks at operational resilience in a more holistic way, considering non-digital disruptions such as supply chain issues, third-party outages, and physical threats (e.g., pandemics, natural disasters).

Key Components

• ICT Risk Management:  Requires firms to have robust processes for managing ICT-related risks.

• Incident Reporting: Sets out a framework for reporting significant ICT incidents to regulators.

• Digital Resilience Testing: Firms must regularly test their digital operational resilience through assessments and simulations.

• Third-Party Risk Management: Obligatory management of risks related to outsourcing, particularly critical ICT providers, including remediation of the contractual arrangements for third-party ICT services.

• Information Sharing: Encourages information sharing between financial institutions and regulators to improve cybersecurity practices.

• Impact Tolerances: Firms must set impact tolerances for important business services—essentially thresholds for acceptable levels of disruption.

• Mapping and Testing: Firms are required to map the resources supporting critical business services and conduct regular testing to ensure these services can continue during disruptions.

• Scenario Testing: Firms must use a range of scenarios to test their operational resilience, not only focusing on ICT but also physical and other business disruptions.

Responsibility

• Noncompliant entities can be fined up to 1% of average daily worldwide turnover in the preceding fiscal year. This fine can be levied every day until the financial entity achieves compliance.

• Entities found to be in violation of DORA requirements may face fines of up to 2% of total annual worldwide turnover or a maximum fine of €10m.

• In some jurisdictions, senior management, including board members, can be held personally accountable with a maximum fine of €5m.

• FCA fines for operational resilience breaches can range from £10m to £50m or more, depending on the impact of the breach.

• Senior Management Responsibility: The UK framework places heavy emphasis on governance, with senior managers being directly accountable for operational resilience.

  • Executives could face temporary or permanent disqualification from holding senior roles within regulated firms.

  • The FCA may fine senior managers up to £1m or more for significant misconduct or failure to take reasonable steps to prevent non-compliance.