Get your FREE Cyber Health Check Today
Back to all News

How to Prepare for EU DORA Ahead of January 2025

December 3, 2024

Back to all News

The EU Digital Operational Resilience Act (DORA) is shaking up the financial industry. This game-changing regulation sets a new standard for operational resilience and cybersecurity within the European Union. While it’s primarily an EU regulation, UK-based companies might find themselves needing to comply with DORA as well, particularly if they operate within the EU or provide services to EU-based clients. 

With the January 2025 compliance deadline fast approaching, companies must take action to enhance their cybersecurity posture and operational resilience to meet the stringent requirements of the regulation. 

What is the EU DORA?

DORA is a key component of the EU's Digital Finance Strategy, designed to bolster the resilience of the financial sector against a wide array of information and communications technology (ICT) risks. This includes threats like cyberattacks, system failures, and vulnerabilities stemming from third-party IT service providers.

The scope of DORA is extensive, covering a wide range of financial entities such as banks, insurance companies, investment firms, and payment service providers. Even ICT third-party providers serving these organisations fall under its purview. By establishing a consistent framework across the EU, DORA ensures that financial institutions can effectively withstand, respond to, and recover from operational disruptions.

Why UK Companies Might Need to Comply with DORA

Despite Brexit, UK companies cannot afford to ignore DORA. Here's why:

  • Cross-Border Operations: Many UK-based financial institutions have branches, clients, or subsidiaries within the EU. If these entities fall under DORA, the UK parent company must ensure compliance to avoid penalties and operational disruptions. For instance, a UK bank offering services in France needs to align its ICT systems with DORA's operational resilience standards.

  • Third-Party Service Providers: UK-based ICT service providers, such as cloud providers or fintech solutions companies, that serve EU financial entities are also subject to DORA. Any cybersecurity incident or operational disruption affecting these providers could impact their EU clients, making compliance crucial for maintaining those business relationships.

  • Market Access and Competitiveness: DORA compliance can be a key factor for UK financial institutions seeking to access or maintain their presence in EU markets. EU financial institutions may require proof of DORA compliance from their UK partners, making it essential for securing and retaining business.

  • Alignment with Global Regulatory Trends: DORA reflects a growing global trend toward stricter cybersecurity and operational resilience regulations, particularly in finance. UK companies that align with DORA position themselves well for future UK regulations and international standards.

Key Cybersecurity and Resilience Improvements for DORA Compliance

DORA outlines several key areas where companies need to enhance their cybersecurity and operational resilience. First and foremost, a robust ICT risk management framework is crucial. This framework should be seamlessly integrated into the overall risk management strategy and cover all aspects of identifying, assessing, and mitigating ICT-related risks. This includes addressing cyber threats, system failures, and third-party dependencies. To ensure vulnerabilities are identified and addressed promptly, regular risk assessments and continuous monitoring are vital.

Also, DORA mandates prompt incident reporting to regulatory authorities, typically within 72 hours. UK companies need a well-defined incident response process that includes classifying incidents based on their severity and potential impact, establishing a dedicated incident reporting team that can act swiftly to notify regulators, and meticulously documenting all incidents and the remedial actions taken.

Another core component of DORA is managing third-party ICT risk. UK companies relying on ICT service providers must ensure those providers also meet DORA standards. This involves conducting thorough due diligence on potential providers, incorporating compliance clauses in contracts to ensure adherence to security controls, and continuously monitoring third-party performance to maintain oversight of their cybersecurity practices.

Regular testing is also essential to assess the effectiveness of your cybersecurity and ICT systems. This includes penetration testing to simulate real-world cyberattacks, disaster recovery tests to ensure business continuity in the event of a disruption, and vulnerability assessments to identify weaknesses in the ICT infrastructure. It's important that testing results are reviewed by management, and any identified weaknesses are addressed promptly.

DORA also emphasizes strong cybersecurity controls. This includes implementing multi-factor authentication to secure access to critical systems, encrypting sensitive data both at rest and in transit, establishing access controls to limit access to critical systems and information to authorized personnel only, and implementing real-time monitoring to detect and respond to anomalous or malicious activities. Investing in advanced threat detection and response systems is also highly recommended to proactively mitigate risks.

Finally, clear governance structures for ICT risk management are essential for DORA compliance. This includes clearly defining roles and responsibilities for cybersecurity at all levels of the organisation, ensuring senior management is actively involved in strategic decisions regarding operational resilience, and establishing regular reporting to the board of directors on ICT risk exposure and the effectiveness of resilience measures.

Immediate Steps UK Companies Should Take

The January 2025 DORA compliance deadline is fast approaching. Here's how UK companies can prepare:

  • Conduct a Gap Analysis: Assess your current ICT and cybersecurity practices against DORA requirements to identify areas needing improvement.

  • Engage with Legal and Compliance Teams: Collaborate with legal and compliance experts to understand DORA's implications for your specific operations, especially regarding EU subsidiaries and business relationships.

  • Update Risk Management Framework: Revise your ICT risk management framework to align with DORA, ensuring comprehensive risk identification, assessment, and mitigation.

  • Develop Incident Response and Reporting Procedures: Establish or enhance incident response plans, including clear procedures for reporting incidents to regulators. Conduct drills to ensure your team is prepared.

  • Audit and Test Operational Resilience: Schedule penetration tests, vulnerability assessments, and resilience tests well in advance of the deadline to allow time for remediation.

Contact us about EU DORA

The EU DORA represents a significant step in strengthening the operational resilience of the financial sector. While it's an EU regulation, its impact is far-reaching. UK companies with connections to the EU financial sector must take action to ensure compliance.

By proactively addressing DORA's requirements, UK companies can not only ensure continued market access and avoid penalties but also enhance their overall cybersecurity posture and operational resilience. In an increasingly interconnected and regulated world, aligning with DORA's standards is not just about compliance; it's about building a stronger, more secure foundation for future growth.

Need some help with EU DORA preparations? Contact us today.

Related posts

Why Your Small Business is a Prime Target for Cyberattacks, and How to Fight Back

Cybercriminals more frequently target small and medium-sized businesses (SMEs) than large companies, often due to their lack of security resources. Small businesses are three times more likely to be targeted by cybercriminals than larger companies. 
Read more

The Strategic Benefits of Vulnerability Management and Scanning

In an evolving cyber threat landscape, complacency can be your downfall. Assumptions about the security of your IT environment can leave you vulnerable to attacks, which are becoming more and more sophisticated.
Read more

A Complete Guide to Cyber Vulnerability Management

In the world of cybersecurity, there's a chilling truth: it's not a matter of if you'll be attacked, but when. As Robert S. Mueller, former Director of the FBI, aptly put it a number of years ago..
Read more

A Threat-Led Approach to Cyber Defence

Adopt a proactive, risk-based approach to cyber defence with threat intelligence integration, ensuring resilience against evolving cyber threats.
Read more

Cyber Vulnerability Scanning: A Complete Guide

This guide explains how proactive vulnerability scanning reduces security risks, ensures compliance, and strengthens business reputation by identifying and addressing system weaknesses before cybercriminals can exploit them.
Read more

Why UK Companies Need to Prepare For The EU's DORA

DORA, an EU regulation effective January 2025, mandates strong cybersecurity for financial institutions with EU ties. UK companies, even if not EU-based, must comply if they serve EU clients or use EU-based ICT providers. Non-compliance risks fines, reputational damage, and loss of EU business.
Read more

Building a Cyber-Resilient Business

Cybersecurity is a strategic business risk, requiring senior management oversight and partnerships across all functions, including insurers, to create resilience and protect operations, revenue, and reputation from cyber-attacks.
Read more

Four Corners Model

The digital economy today, the interconnectedness and interdependence of business operations, and the controls that are in place, are constantly challenged by cyber threat actors and the increasingly sophisticated attacks they deploy. 
Read more