Skip to content

DORA or not to DORA – What Next for UK Banks?

Time to read: 10 mins

Page contents

    Whilst compliance matters, not every line of legislation is going to impact your business in the same way. Even if DORA (the EU’s Digital Operational Resilience Act) is not on your immediate radar, operational resilience should be.

    DORA, Europe’s flagship cyber resilience regulation for financial services providers, once had an exciting ‘water-cooler moment’ and, nowadays, has hardened into a looming deadline. January 2025 captures the precise date that, for any bank or building society, operational resilience must be demonstrably met, tightened, secured, and defendable. Compliance surfaces thick and fast in regulated sectors, and DORA – along with its UK counterpart regulation – is moving beyond the banner of security protocols. Here’s dedicated legislation with a wide focus on resilience – almost too wide – where banks won’t necessarily be told how to achieve resilience (the exact tools, for example), but rather that it is a target.

    Having DORA or its UK equivalent committed to your diary (and memory) is the easy part. Demystifying what’s applicable, as is the common case with compliance, isn’t challenging either – operational resilience is the end goal. The challenge isn’t knowing that operational resilience is fast becoming de rigour, a kind of mandated layer of protection, in the financial services space, but rather that getting resilient isn’t always a simple, straightforward journey.

    DORA Might Not Matter (Unless You Have an EU Subsidiary). But Operational Resilience Does.

    Buyer’s warning: don’t race to resilience, take cautious, considered steps in the right directions. Regulatory demands are changing all the time, but principles of security and resilience are more fixed in place. This means, practically, bunkering down into the right toolset and mindsets can pay forward substantial value when you face future disruption.

    DORA Recap: What, Where & Why

    Firstly, it’s critical to know that DORA is a benchmark piece of regulation that will influence how financial entities in the EU operate and remain resilient, including banks, investment firms, and third-party IT service providers. UK banks and other financial institutions with EU subsidiaries will likely be impacted here.

    DORA’s key objective is to strengthen how banks address their tolerance to digitally disruptive events like cyber-attacks. Furthermore, business continuity and disaster recovery have become bookends in the same conversation about resilience.

    For a more detailed look into DORA, its rules, and how to comply with them, you can read our guide that explains the regulation here.

    Will DORA Affect UK Banks and Building Societies?

    As DORA becomes a critical regulatory benchmark within the EU, a key question arises for UK-based banks and building societies: Will they be impacted by the compliance requirements of DORA? This question is particularly interesting given the post-Brexit regulatory landscape and the UK’s approach to financial regulation.

    Whilst it’s the responsibility of every FS organisation to determine its own exposure, every firm must address operational resilience. 

    DORA is key EU regulation.

     

    The UK’s Road to Resilience

    What started as smart talk around the urgency to defend banks from cyber threats and risks of all size has now hardened into a mandatory piece of legislation that will affect how banks operate. In as early as 2018, the Financial Conduct Authority, or FCA, has been declaring that operational resilience will become defaulted and enforced under regulatory change. Resilience is not just a synonym for tightened security either – although it can be tempting to make costly assumptions that operational resilience is just another way to frame security measures.

    Operational resilience, as seen by UK regulators, is a cornerstone to financial stability. But what does it actually mean?

    The Bank of England (BoE) defines operational resilience simply as the following:

    “We mean the ability of firms, and the financial sector as a whole, to absorb and adapt to shocks and disruptions, rather than contribute to them.”

    Importantly, the meaning extends into business continuity and disaster recovery. So, under these new regulations, firms will be expected to deliver business as usual regardless of any type of disruption. This might include:

    • Cyber-attacks (include cyber warfare)
    • System downtime, outages and other unscheduled failures
    • Third-party supplier troubles
    • Naturally occurring hazards and risks, such as severe weather patterns or a pandemic

    Cyber security controls are still expected, but operational resilience is an extension to the ways businesses define, mitigate, and control risk varieties. Under this new scope, UK financial services providers will need greater diligence in planning to grapple with modern, highly disruptive forces.

    DORA vs UK’s Operational Resilience Objectives

    Many of the strategic requirements in the UK to meet resilience standards, at first glance, appear to be the same with expectations outlined by DORA. Critically, here in the UK, the operational resilience timeline explains why DORA might not apply to your firm.

    Since 2018, UK financial regulators have been hardening their approach to operational resilience. Consequently, the proposed regulation for 2025 in the UK shares many similarities with DORA, including:

    • Operational Resilience Requirements (i.e. SS1/21)
    • Testing as a requirement (such as the Bank of England’s pioneered CBEST assessment)
    • Incident reporting (new frameworks will exist to capture operational incidents)
    • Third-Party Risk Management
    • Review of third-party suppliers

    When UK regulators drafted new policy in the area of operational resilience, many critical requirements became interoperable with overseas frameworks (like DORA). The international cooperation with Bank of England and overseas counterparts remains firmly bonded, where standard-setting and mindful regulation is paving the way for more globally resilient financial institutions.

    Why Now?

    Compliance is a constant boiling pot of ideas, deadlines, and calls to tighten how regulated industries operate and modernise. Official, regulated guidance, whether it’s best practice or mandated, exists to safeguard, defend, secure, and protect a business, its users, and other organisations downwind in a supply chain. In recent years, resilience has been enshrined in this kind of regulation, making it one of the most talked-about subjects in boardrooms across the world.

    Why?

    As the threat landscape widens, attacks become smarter, more voracious, and targeted, and the cost of a successful invasion is now enough to take down a business, the urgency of resilience has grown as a key priority. Regulators are keenly alerted to this trend and perhaps even more alarmed by the possible harm from disruption as the world saw after the COVID-19 pandemic. The knock-on effect after IT systems become compromised can be devasting, as disruption ripples outward, impacting a wider supply chain. If, for example, a financial services provider became corrupted, users could be affected with costly ramifications, or a bad actor could deepen their attack on the sector, related suppliers, and so forth until there’s a negative impact on the global economy.

    DORA, and its UK counterpart, is enforcing operational resilience and how organisations stand up to modern threats like cyber-attacks, data leaks, human errors, and system vulnerabilities. When adhered to, these Acts will, in theory, only serve to strengthen the security of the wider financial services landscape, ensuring stability and resilience in the face of uncertainty and disruption.

    Achieve Operational Resilience with CSI.

    It doesn’t end on strict adherence to resilience objectives, but rather DORA’s literature points to intelligence sharing, a kind of open communication, as a possible way forward. Whilst strictly optional, a community of shared risk intelligence, against the likes of prominent cyber threats, is no bad thing. It’s actually the opposite: a brave new world where the risks of digitation become a problem halved through the science of collaboration.

    Operational resilience has always been best practice, but will start to be explicitly regulated in 2025.

    The journey to compliance is still a long, winding road for many.

    Operational Resilience by Example 

    A close technology partner to Darlington Building Society, CSI helped this national financial services provider embrace the digital economy with scalable, secure cloud solutions.

    Speaking about the relationship, our client had this to say:

    Following the successful cloud migration, we are looking forward to a strong future relationship as we continue to grow and invest in our digital future.

    You can read the full story here. 

    Achieve Resilience with CSI

    Regardless of whether or not DORA applies – operational resilience will influence your business in the next year. To remain complaint, financial services providers will need to meet and overachieve these objectives – from rigorous testing, to mapping out response plans to critical (and highly disruptive) incidents and remaining operationally online.

    For proactive, complaint financial service providers, operational resilience requirements can be seen as an opportunity to tighten operational values and become more hardened against the disruptive forces outside your business. Operational resilience underpins, with substantial weight, the UK’s attitude towards it banking ecosystem: even the slightest wave of disruption, if effective, could impede the productivity of one the nation’s most critical industries. Once agile and robust, banks are encouraged to future proof through this new compliance.

    In conversation with banks, building societies and investment firms, CSI’s FS specialists and analysts have been, for decades, working toward the goal of building profitable and resilient operations. Whether that’s through high-performance IT solutions, scalable storage, or beyond, we can help.

    Get in touch today for a no-obligation chat with our specialists and find the support and advice you’re looking for. We’ve been trusted advisors to UK banks for decades – helping customers like Darlington Building Society unlock more value from technology.

    About the author

    Sandip Channa

    Sandip Channa

    Chief Technology Officer

    Sandip has held technical positions in IT for over 20 years and leads the technical functions within CSI.

    Ready to talk?

    Get in touch today to discuss your IT challenges and goals. No matter what’s happening in your IT environment right now, discover how our experts can help your business discover its competitive edge.