How will the EU's DORA impact UK businesses?

The EU's Digital Operational Resilience Act (DORA) represents a shift in the EU's approach to ensuring the robustness and reliability of digital operations within its financial sector. Intended to address the rising threat of cyber attacks and the financial sector's increasing reliance on digital technology, DORA sets out a comprehensive regulatory framework aimed at enhancing the digital operational resilience of financial entities (FEs) in the EU.

However, the impact is not limited to EU-based businesses. As the UK navigates its post-Brexit relationship with the EU, it's important to understand not only how the UK's equivalent plans to ensure operational resilience impact UK businesses but also how the (more progressed) EU legislation could not only impact a technology business in the UK, regardless of whether it directly serves FEs in the EU, but also give UK businesses a competitive advantage if navigated strategically.

Overview of the EU's DORA

DORA, which entered into force on 16 January 2023, with an application date set for 17 January 2025, aims to fortify the IT security and operational resilience of a broad spectrum of FEs, including banks, insurance companies, and investment firms. Its core objective is to ensure that the European financial sector remains resilient in the face of severe operational disruptions. To that end, it goes some way toward harmonising the existing operational resilience rules across the financial sector and includes information and communication technology (ICT) third-party service providers within its scope.

DORA introduces a set of technical requirements across four principal domains:

• ICT risk management and governance
• Incident response and reporting
• Digital operational resilience testing, and
• Third-party risk management.

DORA's approach - scope, application and enforcement

Scope

DORA's reach extends across the entire EU financial ecosystem, encompassing a wide range of institutions from traditional banks and investment firms to non-traditional entities such as crypto asset service providers and crowdfunding platforms. However, notably, it also impacts businesses typically outside the purview of financial regulations: third-party ICT service providers such as cloud services and data centres. The most significant effects on these technology businesses are:

• indirect exposure due to the obligations on FEs to manage their third-party risk, and
• direct exposure where such businesses are designated as critical third parties (CTPs).

The latter represents the first time that technology businesses have been under the direct oversight of the financial services regulators. This will lead to a unique regulatory dynamic where a regulator's remit could include parties on both sides of the same ICT services arrangement.

Proportionality

DORA emphasises a proportionate application, to some extent scaling compliance expectations relative to the size and nature of the regulated entity. Key responsibilities include establishing comprehensive ICT risk management frameworks, developing incident management processes, conducting regular resilience testing, and managing third-party risks.

Enforcement

The enforcement of DORA will be overseen by designated regulators within each EU Member State (Competent Authorities) with the power to impose penalties for non-compliance. Additionally, CTPs will be directly supervised by lead overseers from the European Supervisory Authorities. DORA also encourages voluntary information sharing among financial entities regarding the emerging landscape of cyber threats.

The UK’s DORA equivalent

It is important for UK businesses, whether they are themselves FEs or they provide ICT services to FEs, to understand the implications of DORA in the context of the UK's post-Brexit regulatory environment.

Pre-Brexit

Before Brexit, the UK's financial regulations were closely aligned with EU standards, including those related to digital operational resilience. This alignment allowed for cross-border operations for UK-based financial entities.

Now

After leaving the EU, the UK retained a substantial part of the EU's financial legislation but has since begun to review and, in some cases, diverge from EU regulations. To that end, the UK is in the process of introducing its own DORA equivalent (UK DORA), meaning that UK technology businesses with FE customers in the EU will need to navigate two regulatory regimes in parallel.

The EU's DORA is significantly more progressed than UK DORA, but insights from the UK's existing approach to operational resilience may be informative for making comparisons. Both the UK and EU frameworks mandate the identification of critical business services or functions and require some form of operational resilience testing. The UK's existing approach involves firms identifying "important business services" and determining their "impact tolerance," with detailed considerations of various factors affecting service disruption. EU DORA mandates the creation of an ICT risk management framework, including digital resilience strategy and governance, but is less granular in requiring businesses to set impact tolerances for each critical function or service.

Impact of EU's DORA on UK businesses

Direct impact

• Compliance with EU Regulations: UK financial entities and ICT service providers operating in the EU will need to comply with DORA's requirements. This includes, for FEs, the need for robust ICT risk management frameworks, incident reporting mechanisms, and digital operational resilience testing.
• Regulation of CTPs: UK technology providers considered 'critical' under DORA will face direct regulation by EU authorities, potentially requiring the establishment of EU-based subsidiaries for regulatory compliance.

Indirect impact

• Subcontractors: one of the more nuanced obligations placed on FEs by DORA is to monitor their ICT service supply chains. This theoretically involves not only scrutiny of their immediate providers but of rank 2, 3, 4 etc. subcontractors where such subcontractor "materially underpins" the ICT service being used. This further increases the potential for a UK provider to find itself impacted by DORA, even where it is not providing ICT services to any FEs in the EU, or even any FEs at all.
• Market access: compliance with DORA may influence market access for UK businesses in the EU. Adherence to DORA's stringent requirements may also serve as a benchmark, influencing expectations among clients and partners beyond the EU, potentially impacting competitive positioning in the global market.
• Compliance costs: as with any incoming regulation requiring changes to processes and systems, there will likely be increased compliance costs for in-scope businesses.

Opportunities for UK businesses

As the UK seeks to build its status as a global technology hub, it's worth mentioning the opportunities created by DORA for UK technology businesses. FEs (and ICT providers) will need to strategically plan for DORA compliance, considering the implications for ICT risk management, third-party provider relationships, and incident response mechanisms.

This may involve investments in technology, processes, and skills development, creating an opportunity for those at the forefront of technological innovation as well as industry heavyweights, whose trust and reliability in the eyes of customers (and regulators) could become an increasingly competitive advantage.

With details of UK DORA still to be finalised, we have yet to see how the landscape will evolve locally for UK businesses, noting that this will be a parallel regime to the one taking shape in the EU.