What is it?
The Digital Operational Resilience Act (EU) and PS21/3 Building operational resilience (UK – FCA) affect financial entities operating in the EU and UK respectively, requiring compliance with similar sets of behaviours and practices, intended to ensure that they are operationally resilient in the face of modern IT incidents and challenges.
DORA compliance became enforceable in January 2025, and the deadline for the UK Financial Conduct Authority’s regulations is the 31st of March 2025.
Firms affected are financial in nature – banks, building societies, insurers etc. – and trading in the EU or the UK depending on the regulation. UK entities operating in the EU may need to be compliant with both sets of regulations.
This sort of regulation of organisations’ IT operations is only likely to expand beyond FSI in future, with the EU’s NIS2 recently passing its implementation deadline, and the UK’s own Cyber Security and Resilience Bill set to be introduced to parliament this year.
Important to note is that 3rd party supply is taken into account. IT outsourced? Turnkey software solution managed by the vendor? Hopefully they or their technology are compliant too, as firms will still be on the hook.
Why?
Traditional IT outages – which we think of when talking Disaster Recovery (DR) – concern loss of power, device failures, user error and so on. Cyber-attacks, distributed service loss and at-scale software failure are asymmetrical warfare for organisations ready to deal with traditional DR. Put simply, we are not prepared.
Add to this the interdependent nature of modern services and our lifestyles; think for instance of the scale of disruption from banking app failures only this year, which had the UK Treasury Committee writing to 9 UK banks demanding information on the scale and impact of IT failures. The lack of preparedness has wide-reaching implications.
What does this mean to an IT partner?
Leaving it to the last minute is human nature. Depending on how you look at it, we either passed the last minute 1062 days ago (at time of writing) or are living in it right now. In either case, CMS distribute for several ISVs with powerful solutions building towards operational resilience in IT, through their technology and the behaviours it enables.
Build a comprehensive data protection, testing and recovery plan with Commvault, consolidate innovative but unsupported open source solutions onto Enterprise-ready, supported solutions from Red Hat, and deploy proactive cyber mitigation across your customers’ networks with ThreatDown, to name just a few.
CMS Vendors:
Resilient Data:
Cyber Resilience:
Enterprise OSS:
