How DORA will impact the financial services sector

It is estimated that cybercrime cost the UK economy around £27 billion in 2022, rising to £30.5 billion in 2023 and expected to increase again in 2024. On a global scale, the figure is in the multi-trillions. So, it’s not surprising that legislators are looking at how best to tackle this problem - especially within the financial sector.

Enter DORA - not Dora the Explorer, but the more grown-up Digital Operational Resilience Act.

What does DORA want?

Transparency, protection, and accountability.

When does DORA want it?

Now - or at least by 17 January 2025.

Who does DORA affect?

It affects financial entities - a term which is left deliberately wide but includes financial institutions, investment firms, insurers and reinsurers, and audit firms, to name a few.

Enacted in January 2023, the European legislators have given financial entities a two-year window within which to implement a series of stringent operational measures in relation to their ICT services to protect against cybercrime. There is an element of proportionality in relation to these measures, based on a financial entity’s size.

The broad definition of ICT services refers to ‘digital and data services through ICT systems’ and therefore covers hardware and software in their various guises. As the intention of the legislation is to provide transparency and accountability throughout the ICT services supply chain, not only do financial entities need to implement measures but so too do the ICT services providers, particularly if they support critical services.

What are the core principles of DORA?

DORA builds on existing resilience requirements within the financial services sector and promotes an ‘ISO27001 meets Cyber Essentials’ style of ICT risk management based on five core principles:

  • ICT Risk Management - establishing an internal framework addressing ICT risks.
  • ICT Incident Management, Classification & Reporting - having a process for and reacting to ICT risks and events.
  • Operation Resilience Testing - regular/annual pen testing and addressing gaps/errors.
  • ICT Third Party Risk Management - recording and monitoring third party providers and risks presented, especially those relating to critical services.
  • Information-Sharing Arrangements - allowing the financial entities to agree standards and work with the supervisory bodies to share data and act, where necessary.

Regulators will wish to be satisfied not only that measures are in place, but that they are actioned.

How does DORA impact the UK?

Whilst not as far-reaching as the GDPR (which protects European citizens regardless of their location), DORA impacts financial entities if they have an arm operating in Europe. UK financial entities with an EU presence therefore need to be aware of what the requirements are. Equally, ICT services providers who support financial entities in the EU will need to be prepared for the extra scrutiny.

Whilst the EU are leading the way, the UK will not be far behind with its own measures. A joint consultation paper between the Bank of England, FCA, and PRA closed on 15 March 2024 looking at how to best address the powers given to them under FSMA 2023 to monitor and manage the risks of utilising critical third parties within the UK financial sector.

What are the next steps?

DORA will have two regulatory technical standards (RTSs) published to provide more guidance. The first was published in January this year, with the second one due this July.

DORA also contains a list of clauses that will need to be considered when financial entities enter into contracts with ICT services providers.

The details of the contractual rights and considerations from January’s RTS are available here.

Financial entities and their ICT services providers should therefore look at performing gap analysis exercises between their current measures and the requirements of DORA and look to address those gaps by January 2025, as well as updating their existing and future contracts and templates, as necessary.

For further information, please email Mark Hughes or call 0151 906 1000.