The financial services sectors in Europe and the UK are bringing in new regulations to bolster operational resilience.  The new rules focus primarily on the technology dimension and its governance to ensure resilience is baked-in by design in all critical technology elements that drive financial-services organisations.

The UK’s FCA has already introduced, on 31-March-22, Operational Resilience Rules and Guidance with a three-year onboarding requirement to meet this new regulation.  The Guidance states that, by 31st March 2022, firms must have identified their important business services, set impact tolerances for the maximum tolerant disruption, and carried out mapping and testing to a level of sophistication necessary to do so.

In a similar effort the EU is also planning the introduction of DORA, the EU’s Digital Operational Resilience Act towards the end of 2022 or early 2023.  It is designed to consolidate and upgrade Information and Communications Technology (ICT) risk requirements throughout the financial sector to ensure that all participants of the financial system are subject to a common set of standards to mitigate ICT risks for their operations. DORA aims to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other risks. The proposed legislation will require firms to ensure that they can withstand all types of ICT-related disruptions and threats. The proposal also introduces an oversight framework for critical third-party providers, such as cloud service providers.  DORA’s implementation time-window is expected to be around 2-years.

Read more by clicking the buttons below.

UK FCA Operational Resilience Rules Summary

  • Identify and map out important business services and underlying dependencies.

  • Evaluate business impact tolerances.

  • Adopt scenario testing.

  • Establish effective governance processes.

  • Conduct periodic self-assessment.

EU DORA Rules Summary

  • Set up and maintain resilient ICT systems and tools that minimize the impact of ICT risk.

  • Have an ICT risk-management framework that includes strategies, policies, procedures, ICT protocols and tools necessary to effectively protect all relevant physical components and infrastructures from risk, such as damage and unauthorized access or usage.
  • Test the ICT business continuity policy and the ICT disaster recovery plan at least yearly, and after substantive changes to the ICT systems.

  • Include relevant provisions on accessibility, availability, integrity, security and protection of personal data, and guarantees for access, recover and return in the case of failures of the ICT third-party service providers in contracts that govern the relationship with third-party providers.