2025: The Year of Operational Resilience

The New Year begins with a strong focus on cybersecurity and operational resilience. The EU Commission's Cybersecurity Strategy is being actively implemented through the Digital Operational Resilience Act (DORA) and the Network and Information Security Directive (NIS2).

The New Year begins with a strong focus on cybersecurity and operational resilience. The EU Commission's Cybersecurity Strategy is being actively implemented through the Digital Operational Resilience Act (DORA) and the Network and Information Security Directive (NIS2). These initiatives aim to harmonise cybersecurity and digital operational resilience standards across critical economic sectors. Financial institutions, as well as essential and important organisations providing services under either Act in the EU, must implement effective policies and procedures to manage and protect against cyber incidents. Both legislative frameworks have extraterritorial effect, meaning UK businesses offering relevant services will likely fall within scope, subject to the qualifying requirements specified in each Act. In this article, we explore the implications of DORA and NIS2 from a UK perspective.

DORA

Effective from 17 January 2025, DORA applies not only to the traditional financial institutions, such as banks, investments firms and the insurance sector, but also to new tech services such as crypto-asset service providers and crowd funders, as well as their ICT[1] third party service providers.

DORA aims to enhance the operational resilience of these entities through five key areas:

• Risk Management Framework
  Implementing strategies, policies and procedures to manage ICT risks. The framework must be documented and reviewed annually or after major incidents.
• Incident Reporting
  Establishing an ICT-related incident management process to detect, classify, notify and record incidents. Major incidents must be reported to competent authorities within 4 hours of classification or no later than 24 hours from detection. Intermediate and final reports are also time sensitive.
• Threat-Led Testing
  Conducting annual ICT system tests and threat-led penetration tests at least every three years.
• Management of Third-Party Service Providers (TPSPs)
  Ensuring TPSPs’ compliance with DORA standards, particularly critical TPSPs, which will be supervised by European Supervisory Authorities under the Oversight Scheme.
• Intel Sharing
  Participating in information exchange with competent authorities to raise awareness, limit attack spread, support defence capabilities and aid in response and recovery stages.

DORA does not apply to financial entities in the UK unless the entity also provides services in the EU.

Read our recent article to learn more about DORA.

However, UK financial entities face similar challenges under national regulations. The Bank of England, The Financial Conduct Authority and the Prudential Regulation Authority (collectively known as the “UK Regulators”) have implemented a policy framework aimed at bolstering the resilience of financial institutions and Financial Market Infrastructures (FMIs). Unlike DORA, the UK policy framework addresses all types of operational disruptions, extending beyond just digital resilience.

From 31 March 2025, financial entities[2] in the UK must:

1. Identify important business services (I)
2. Set impact tolerances for each important business service (I)
3. Implement resilience strategies, processes and systems (I)
4. Map supporting resources (i)
5. Test resilience (i)
6. Conduct lessons-learned exercises
7. Maintain compliance self-assessments, (I)
8. Develop communication strategies, and
9. Meet governance and senior management obligations (I)

Under PRA rules, Insurers must comply with the obligations marked as (‘I’) but also where a firm is a member of a group, the firm must ensure that it accounts for any additional risks arising elsewhere in the group which may affect its ability to comply with testing obligations (see obligation 5 above)[3].

  Currently, there are no incident reporting obligations, but changes are expected following the December 2024 Consultation Paper (CP17/24) on Operational Incident and Outsourcing and Third-Party Reporting. Firms will need to report incidents impacting consumer harm, market integrity, or safety and soundness, using criteria provided by the regulators.

Relevant entities will be required to submit material third-party notifications in a standardized format and maintain a register for the Bank. The Consultation closes on March 13, 2025, with policy statements expected in late 2025 and implementation by autumn 2026.

Similar to DORA, the Critical Third-Party rules, effective from 1 January 2025 set out the oversight scheme for UK Critical TPSPs. Statutory obligations will apply upon designation by the Treasury. In the autumn, HM Treasury is expected to start designating the first Critical TPSPs. A joint  supervisory statement, memorandum of understanding and Regulators' Approach outline the rules and criteria for designation of critical TPSPs.

The UK regulators are also reviewing the results of the CBEST 2024 Report which assesses the cyber resilience of key financial institutions following threat-led penetration tests carried out throughout the year.  Key areas for improvement identified include poor identity management and access control, insecure configurations and unpatched vulnerabilities, ineffective network security and lack of staff training. These findings may lead the regulators to consider further changes in policy.

NIS2

Like DORA, NIS2 is EU legislation and therefore does not apply to the UK. However, as the UK is making changes to its cyber security laws, NIS2 will remain relevant for UK organisations to consider, particularly if they operate in the EU.

The Directive (EU) 2022/2555 (known as ‘NIS2’) aims to harmonise cybersecurity standards across essential and important service providers. It builds upon its predecessor the (EU) 2016/1148 Network and Information Security Directive (known as ‘NIS1’), covering more sectors and incorporating stronger cybersecurity requirements. It applies to public and private entities of certain sizes, public administration entities providing specified electronic services, domain name registration service providers, and critical entities. Key obligations include:

• Cybersecurity Risk Assessment
   Mandating a multi-risk approach with minimum technical and organisational measures.
• Supply Chain Risk Assessment
   Effectively managing TPSPs to ensure compliance with NIS standards.
• Reporting Obligations
  Specific requirements for significant security incidents.
• Registration
  Mandates important and essential entities to register with competent authorities.
• Intel Sharing
  Exchanging relevant cybersecurity information to help the prevention, detection and response to or recovery from incidents.

In the UK, the Network and Information Security Regulations 2018, derived from the EU NIS1 Directive, remain in place. But given the UK’s departure from the EU, NIS2 has not been adopted (transposed). However, UK businesses that operate within the EU will need to comply with NIS2 requirements.

Until the UK government chooses to adopt a more uniform approach as that taken in the EU, UK businesses will need to draw their guidance from a patchwork of legislation on data privacy and cyber security including: UK GDPR, NIS Regulations 2018 (which in the EU is superseded by NIS2), the Privacy and Electronic Communications Regulations 2003 which governs privacy rights of individuals in relation to electronic communications, the Product Security and Telecommunications Infrastructure (PSTI) Act concerning cybersecurity standards for IoT[4] devices; and OFCOM’s Network and Service Resilience Guidance concerning operational resilience standards for communication providers under the Communications Act 2003. 

DORA v NIS2

DORA and NIS2 share common goals including minimising cyber incident impacts, setting technical and organisational measures, incident reporting, mandatory intel sharing, board accountability, and TPSP management.

However, there are also notable differences. DORA is directly applicable meaning there is no need for individual member states to pass it through their own laws, for the regulations to become enforceable, they are automatically incorporated into local legislation in the same terms and on the same date of enforcement, across all member states, whereas, as a Directive, NIS2 requires transposition into domestic law in each member state. Further, directives are flexible, meaning that while transposing the directive, jurisdictions may choose to make changes to the provisions in the Directive to the extent permitted by EU law[5].

DORA targets financial entities (and their ICT third party service providers) whereas NIS2 covers essential and important organisations across various industries. DORA includes a detailed four-step incident reporting process and distinguishes between major incidents and cyber threats, unlike NIS2. Additionally, NIS2 specifies fines up to €10 million or 2% of annual global turnover for non-compliance, while DORA does not mention penalties for financial entities.

Improving Cyber Resilience

Whilst the UK is not bound by EU legislation like DORA and NIS2, they nevertheless remain relevant and provide instructive guidance to ensure cyber resilience.

Here are ten essential tips drawn for DORA and NIS2 that will improve cyber risk and security management:

1. Conduct a Gap Analysis: Identify shortcomings in ICT risk management, incident reporting, and third-party oversight.
2. Strengthen ICT Risk Management: Develop a comprehensive framework to manage ICT risks, covering all digital assets and interdependencies.
3. Develop an Implementation Plan: Set clear timelines and allocate roles, responsibilities, and resources to align with DORA and NIS2 mandates.
4. ICT Supply Chain Mapping and Oversight: Identify ICT suppliers, assess gaps, and review vendor contracts and third-party risk management practices.
5. Streamline Incident Reporting: Ensure efficient incident reporting processes to comply with the applicable framework.
6. Test Resilience: Conduct regular testing, including stress and penetration tests, to ensure ICT systems can withstand disruptions.
7. Enhance Communication: Keep the Board and stakeholders informed about regulatory developments and encourage departmental collaboration.
8. Invest in Training and Awareness: Train staff on legal requirements and the importance of cybersecurity and operational resilience.
9. Leverage Technology Solutions: Use technology to manage and monitor ICT risks effectively.
10. Stay Informed: Keep up to date with legislative changes and track the transposition and implementation of EU directives.

Comment

In light of developing legislation on cyber resilience, UK financial entities face not just an increasingly demanding operational resilience framework, but potentially a wide range of regulations if they provide services in the EU. The complexity of ensuring operational resilience has intensified as a result of the increase in technological changes, hostile cyber environments, cross-border dependencies and outsourcing arrangements. Regulators expect firms to focus on delivering products and services using protective mechanisms like backup plans and recovery options.

As the UK government continues to develop its legislative position on cyber security and resilience, UK businesses appear to have no option but to continue ensuring effective compliance and policy implementation while consistently monitoring and tracking legislation in each jurisdiction where they provide their services.  

Applicability & requirements of EU & UK operational resilience frameworks