In the global race for Operational Resilience (OpRes), climbing the DORA hill is the ultimate test for financial entities in Q125.
JWG’s analysis reveals that DORA standards equips institutions for the UK’s requirements but the gap between UK obligations and DORA will trip some runners up. The reality is becoming clear: financial entities and their suppliers must be prepared for both the EU and UK regulatory challenges.
3 Key Takeaways
- DORA = focused on ICT risk: DORA establishes a comprehensive, prescriptive framework for ICT operational resilience, while the UK’s OpRes framework allows greater flexibility tailored to firms’ unique circumstances
- UK = reliant on DORA standards: While UK firms have flexibility in their governance and reporting arrangements, they will need to refer to DORA rules for the definition of ‘what good looks like’ to justify their approach to the UK regulators
- The marathon continues: Financial entities will need to adapt their OpRes preparation for evolving risks and new regulatory obligations including AI, cloud, and cyber threats.
DORA vs. UK OpRes: What’s the Difference?
As we highlighted in our previous OpRes analysis, Winning the OpRes Marathon here, there will be many stages in the technology risk mitigation race ahead.
DORA, which becomes effective on 17 January 2025, is part of a broader EU framework addressing challenges posed by emerging technologies. Its detailed framework around ICT risk management anticipates the needs of the EU’s forthcoming Artificial Intelligence (AI) Act, the Network and Information Security 2 (NIS2) Directive, Markets in Crypto Assets (MiCA), and other shifts in the market.
The UK OpRes framework is different in that it is a standalone initiative. It is set to take full effect on 31 March 2025 – 52 working days post-DORA’s cut-off. It is narrower in scope in that it applies to banks and building societies, PRA designated firms, insurers, and other financial institutions including Recognised Investment Exchanges, enhanced scope SM&CR firms, and entities authorised and registered under the Payment Services Regulation 2017 and the Electronic Money Regulation 2011, with a strong focus on the resilience of critical business services that, if disrupted, could affect financial stability or customer outcomes. Notably, DORA applies to many more types of financial entities and directly to their third-party ICT providers.
Exhibit 1: EU vs. UK OpRes Overview
Aspect |
EU: DORA |
UK: PS21/3+ |
Key Deltas |
Effective Date |
17 January 2025 |
Transition ends 31 March 2025 |
52 working-day implementation lag |
Scope |
Broad, covering financial entities including banking and payments, insurance and investments sectors, and ICT third-party service providers providing services to financial entities. |
Banks and building societies, PRA-designated firms, insurers, Recognised Investment Exchanges, enhanced scope SM&CR firms, entities authorised and registered under the Payment Services Regulation 2017 or Electronic Money Regulations 2011. |
|
Regulatory Approach |
Highly prescriptive, detailed rules for ICT risk management, incident reporting, and oversight of third-party providers |
Principles-based, with flexibility on how firms meet the rules. Focuses on business services and resilience to disruptions |
|
Source: JWG analysis, 09/24
The UK’s Approach
Primarily established through PS21/3, the UK’s OpRes framework focuses on ensuring firms can identify, manage, and recover from disruptions to their important business services.
Complementary guidance from SYSC 8 and 15A reinforces the governance and oversight mechanisms needed to meet the key principles, while SS1/21 and SS2/21 provide details on setting impact tolerances and managing risks from outsourcing. For firms that are relying heavily on critical third-party providers, SS3/21 and CP26/23 highlight the importance of resilience testing and contractual arrangements to ensure external dependencies don’t compromise operational stability.
Furthermore, UK regulators FCA and PRA have stated that their flexible regime provides autonomy for firms to implement and comply as they see fit:
“We recognise that there are some areas where the requirements are similar, and that it could be harder for firms to identify action they need to take to comply. We also appreciate the challenges for global firms in complying with cross-jurisdictional requirements.” |
Source: FCA, PS21/3 Building operational resilience: Feedback to CP19/32 and final rules: here 03/21
In short, the UK’s approach will be subject to may perspectives on ‘what good looks like’, which will not necessarily align with what is written in DORA. If a financial institution or its supplier is caught by both regimes, they had better ensure that DORA standards are primus inter pares.
Detailed EU vs. UK Gap Assessment
JWG’s comprehensive analysis of over 22,000 DORA provisions against UK operational resilience documents reveals several key divergences.
The most significant gaps emerge in critical areas such as ICT risk management, ICT-related incident management, and the oversight of ICT third-party risks. These areas represent foundational pillars in DORA’s approach, requiring rigorous governance and prescriptive controls. Additionally, while digital operational resilience testing and information-sharing frameworks may appear less critical by comparison, they still play an essential role in ensuring comprehensive resilience and regulatory alignment.
Firms must take these gaps seriously, as they reflect differing regulatory expectations that could significantly impact compliance strategies and risk management outcomes.
Exhibit 2: EU vs. UK OpRes Regulatory Obligation Deltas
EU: DORA |
UK: PS21/3+ |
Regulation |
Deltas |
1. ICT risk management |
1. Identification of important business services 2. Setting impact tolerances 3. Mapping and scenario testing |
DORA |
|
PS21/3+ |
|
||
|
|||
2. ICT-related incident management, classification and reporting |
4. Governance, communication and reporting strategies |
DORA |
|
|
|||
|
|||
PS21/3+ |
|
||
|
|||
3. Digital operational resilience testing |
5. Mapping and scenario testing |
DORA |
|
|
|||
|
|||
PS21/3+ |
|
||
|
|||
|
|||
4. Managing ICT third-party risk |
N/A |
DORA |
|
|
|||
PS21/3+ |
|
||
5. Information-sharing arrangements |
6. Governance, communication and reporting strategies
7. Continuous improvement |
DORA |
|
|
|||
|
|||
|
|||
PS21/3+ |
|
||
|
Note: Yellow deltas indicate UK gaps to EU OpRes Source: JWG analysis, 09/24
The “So What?”
For UK firms, these differences in regulatory obligations imply a greater degree of OpRes flexibility in governance, testing, and reporting strategies to fit their unique circumstances.
However, there are practical considerations for senior managers about what they will do to manage their stakeholders in the areas where DORA and UK OpRes differ:
- IBS: Can you afford to not be ICT-centric in your evaluation of OpRes threats?
- IT-risk: Could you justify why your risk governance does not meet DORA standards?
- TLPT: Can a UK firm afford not to follow EU standards when answering questions to a global market about infrastructure robustness?
- Incidents: Will UK-based firms need to adopt DORA standards to align with suppliers (e.g., report formats, timing)?
- Risk appetite: Can your firm justify taking a more principles-based approach under PS21/3 when DORA provides detailed, hands-on oversight and control mechanisms?
At the end of the day, DORA’s detailed approach not only enhances individual firm resilience, but also unifies the financial ecosystem in confronting global threats. In this light, wouldn’t it be more fruitful for UK firms to follow EU standards?
Firms must remain agile and ready, anticipating and adapting to technology threats and shifts in market and regulatory expectations. Financial institutions must build comprehensive strategies and operations that encompass the full spectrum of technological and operational risks, including AI, cloud, cyber, and quantum.
Conclusion
As we have seen from our JWG analysis, being ready and well-equipped for the UK OpRes marathon means getting ready for DORA’s high standards.
However, the reality is that we are in for a race like never before, as new technologies continue to sprint ahead, and regulators follow quickly behind. Getting fit for these sprints requires more than just meeting regulatory standards – it requires a proactive mindset and a continuous effort to stay on top of evolving threats. While the hill may seem steep for those needing to take UK OpRes efforts to EU regulators, now is not the time to shy away from the challenge.
Get in contact with us today to get fit for these sprints and ensure your long-term success in the ever-changing landscape of financial regulations. Remember – it’s not about winning one race; it’s about being prepared for the long haul.