Operational Resilience Legislation Frameworks

Learn the key aspects and differences between the legislative frameworks

12th April 2024BlogAJ Thompson

Are you ready to get in touch?

Request a Call back

Understand how financial institutions can navigate the complex regulatory landscape to enhance operational resilience.

Ensuring the UK financial sector’s operational resilience is crucial for protecting consumers, firms, and financial markets. Operational disruptions can lead to widespread consumer harm, jeopardise market integrity, threaten the viability of companies, and destabilise financial systems. Organisations must critically understand the services they provide and invest in their resilience.

Two significant pieces of legislation, the Digital Operational Resilience Act (DORA) and the Operational Resilience Act (ORA) referred to as PS21/24, have been pivitol in this context. Understanding the nuances and distinctions between these two acts is essential for financial institutions seeking to ensure compliance and fortify their operational resilience of both Operational Resilience Acts.

Operational Resilience Act (ORA): Also referred to as PS21/3

Operational Resilence, Cyber Security, Cyber resilience with DORA compliance

Operational Resilience Act (ORA), introduced by the United Kingdom, focuses on enhancing the financial services sector’s operational resilience. Effective from 31 March 2022 but no later than 31 March 2025, this policy outlines several key operational resilience requirements for banks, building societies, and designated investment firms within the UK.

Here are the main components of the Operational Resilience Act PS21/3:

Important business services identification:
Firms must identify critical services that, if disrupted, could significantly harm consumers or the market’s integrity. By understanding their impact tolerance against service disruptions and ensuring the continuity of critical services.

Impact tolerance setting:
Establishing clear thresholds for the maximum tolerable disruption ensures firms can assess their resilience capabilities effectively. It will help firms understand their risk tolerance, thereby enhancing their preparedness for potential service disruptions.

Mapping and testing:
By 31st March 2025, firms are expected to have completed comprehensive mapping and scenario testing to stay within their defined impact tolerances for each critical business service.  This reinforces their commitment to operational resilience.

Learning scenarios utilisation:
Organisations must employ learning scenarios to test their resilience against the set impact tolerances, ensuring a proactive approach to operational disruptions.  This enhances operational resilience through practical, scenario-based learning.

The Financial Conduct Authority (FCA) plays a critical role in overseeing the implementation of operational resilience in the financial services sector. Through authorisations, enforcement actions, and supervision, the FCA aims to enhance market integrity, foster competition, and protect consumers. Its guidelines for operational resilience, developed in collaboration with the Bank of England and the Prudential Regulation Authority, highlight the importance of firms being able to prevent, adapt, respond to, recover from, and learn from operational disruptions, laying out principles for operational resilience.

Read more on the FCA website 

Overview of DORA

DORA Digital Operational Resilience Act

The Digital Operational Resilience Act (DORA) is a comprehensive regulation set by the European Union that aims to boost the digital operational resilience and IT security of financial entities such as banks, insurance companies, and investment firms. It addresses ICT risk and builds a strong operational framework to ensure these institutions can withstand digital disruptions.

Five Core Pillars:

ICT Risk Management:
Establishing robust mechanisms to manage and mitigate ICT risks.

ICT-related incident reporting:
The mandate for reporting significant cyber incidents and ICT-related incidents is a critical step towards maintaining transparency and enabling swift action. This ensures that financial entities can quickly address any vulnerabilities to protect their operations.

Digital Operational Resilience Testing:
Regular testing is required to ensure systems can withstand cyber threats.

ICT third-party risk:
Managing risks associated with third-party service providers.

Information sharing:
Enhancing cyber risk and third-party risk management across the financial sector is crucial. Facilitating the exchange of information and intelligence on cyber threats and vulnerabilities among financial entities plays a key role in achieving this goal.

Implementation timeline
Financial entities and their ICT-related third-party service providers must integrate DORA standards into their ICT systems by the 17th of January 2025. This includes mapping and testing to ensure they remain within impact tolerances for each critical business service.

Regulatory framework and compliance
DORA introduces specific, prescriptive requirements for financial institutions and critical ICT third parties to withstand, respond to, and recover from the impact of ICT incidents. Enforcement of these regulations will be overseen by designated regulators in each EU member state, known as ‘competent authorities,’ with ‘critical’ ICT providers being directly supervised by lead overseers from the European Supervisory Authorities (ESAs).

Read more about DORA here

Key differences between the Operational Resilience legislation

graphic of people leaning over a table reading paper

Regulatory scope:

  • DORA, an EU-wide regulation applicable to financial entities and critical ICT third-party providers (TPPs), aims to standardise practices across member states.
  • This contrasts with ORA which is specific to the UK and targets banks, building societies, and designated investment firms, highlighting the different regulatory approaches within the EU and the UK.

Implementation timeline:

  • DORA sets a compliance deadline of January 2025 with specific implementation dates,
  • while ORA was enforced from 31st March 2022, offering one year for firms to align with the policy. This showcases the varied timelines for adopting these regulatory frameworks.

Focus areas:

  • DORA encompasses five pillars: advanced threat-led penetration testing and stringent reporting for critical ICT service providers.
  • ORA emphasises identifying important business services and setting impact tolerances, offering flexibility in implementation and highlighting the focus on operational resilience.

Operational aspects of compliance requirements:

  • DORA mandates active monitoring of risks from ICT third-party service providers throughout contractual relationships.
  • ORA requires financial entities to submit a list of organisations that could disrupt their operations, aligning with ORA’s focus on identifying important business services and their capacity to continue within specified impact tolerances. The Bank of England’s plan to release a consolidated list indicates a proactive approach to enhancing operational resilience. This list gives financial institutions visibility into their critical vendors and service providers, allowing them to assess and mitigate potential disruptions.

Testing and reporting:

  • DORA includes specific requirements for digital operational resilience testing and ICT incident reporting.
  • ORA on the other hand, focuses on utilising learning scenarios for testing resilience against impact tolerances, offering a more adaptable framework for firms and underscoring the critical role of scenario testing in ensuring operational resilience.

Strategies for compliance and mitigating risks

Operational Resilience for cyber security

Adopting strategic measures for compliance and mitigating risks is paramount for financial institutions navigating the complexities of DORA and ORA. Here are key strategies:

  • Robust governance and resource allocation:
    • Establish strong governance structures to oversee compliance efforts.
    • Allocate adequate resources, including budget and personnel, to address the evolving cyber threat landscape.
  • Technology infrastructure: cyber risk assessment:
    • Conduct thorough cyber risk assessments of the organisation’s technology infrastructure and attack surface.
    • Utilise tools to systematically lower cyber risk and identify areas for improvement towards meeting regulatory requirements.
  • Operational resilience planning:
    • To ensure operations remain within impact tolerances, perform mapping and scenario testing for cyber-related disruptions.
    • Invest in necessary changes to consistently operate within impact tolerances. Identify important group business services and their respective impact tolerances.
    • Involve teams to keep vital services within impact tolerances, overseen by Boards and senior management.

Financial entities must embrace rigorous risk management, compliance, and governance to mitigate cyber risks and ensure operational resilience.

Conclusion

Financial sector institutions are encouraged to adopt a strategic compliance and risk mitigation approach. This involves understanding and integrating regulatory mandates and considering the broader implications of these frameworks for the financial sector’s operational landscape.

As compliance deadlines approach, the path forward offers institutions a unique opportunity to meet regulatory expectations and redefine their resilience in an era of digital transformation and cyber risks.

At Northdoor, our experts can help you adapt, improve and comply with new policies in this rapidly changing regulatory climate. Contact us to learn more about the implications of operational resilience regulations and how your business can ensure compliance.

 

Interested in finding out how your organisation can ensure compliance and resilience?

Request a demo or contact sales on: 0207 448 8500

Contact us for a free assessment

Our Awards & Accreditations