Digital Operational Resilience Act
What is DORA?
DORA aims to address the growing importance of digital operations in the financial sector. In an increasingly interconnected and digitized world, the ability of financial institutions to withstand and recover from operational disruptions is paramount. DORA focuses on five pillars to achieve this:
ICT Risk Management
ICT-related incident management, classification and reporting
Digital Operational Resilience Testing
Third-Party Service Providers
Information Sharing
How does DORA affect UK Companies?
Even though the UK is no longer an EU member, DORA will impact UK companies that have operations or business relationships with EU entities. This is particularly relevant to financial institutions with European clients or branches. These companies will need to adhere to DORA’s requirements to operate within the EU market.
UK companies operating in the EU may face a competitive disadvantage if they do not adhere to DORA’s requirements. This can lead to a potential loss of market share or the need to adjust business practices to stay compliant.
The UK government has hinted at rolling out similar regulations applicable to UK companies. In 2024 a raft of new regulations and directives will come into play in the EU to help tighten cyber security including NIS2, and the Cyber Resilience Act. Whilst these don’t apply to the UK we will not want to lag behind and will be looking to implement similar enforceable laws, to work in parallel with the existing advice, best practices and frameworks. The National Cyber Strategy’s mission statement is ‘UK in 2030 will continue to be a leading responsible and democratic cyber power, able to protect and promote our interests in and through cyberspace in support of national goals’.
Navigating the Impact of DORA
In 2024/25 we have a raft of new Directives and Regulations coming into force that will affect several of our customers who operate in the applicable industries and geographies. For example – the Digital Operational Resilience Act or ‘DORA’ comes into force on January 17th 2025.
Read our blog from Geoff Clemow, sponsored by Hitachi as he explores how to navigate the Impact of DORA.
Fines and GDPR
As with GDPR it is up to the EU member state’s Data Protection Commission to fine non-compliant companies. However, where GDPR has a €20m/4% of annual turnover fine cap (whichever is greater), there is no guidance yet on what fines could be levied under DORA. GDPR fines to date currently total €20bn.
This regulation does not replace GDPR. For example, GDPR fines are typically only levied after a data breach, or non-compliance with a right to be forgotten request etc – essentially only after a non-compliant event occurs. DORA mean that fines can be levied on companies that are not, for example, cyber resilient, even if no breach has occurred.
Complying with Regulations
DORA, though an EU regulation, has substantial implications for UK companies, particularly those in, or working with, the financial sector. While the exact impact will vary depending on the nature of their operations and their EU market exposure, it’s crucial for UK companies to be proactive in understanding and preparing for the changes brought about by DORA.
Complying with the regulation not only ensures access to the EU market but also enhances operational resilience and security, ultimately benefiting both companies and their customers.
Advice from our DORATpro
“DORA and the new regulations coming in the next year (including NIS2 and the CRA) aim to encourage and enforce best practices for Cyber Resilience and Business Continuity in general, which is welcomed, and frankly overdue. Organisations can no longer hope they won’t get breached, or fined under GDPR once the horses have bolted; they will need to lock the barn door beforehand.”
Geoff Clemow, DORATpro certified Datacentre Specialist
DORA Timeline
Get Started Today
DORA is a complex combination of cyber
resilience, testing, reporting, and training.
These are all areas that we can help with
though, get in touch with us today.