Digital Operational Resilience Act UK Business Guide

The Digital Operations Resilience Act (DORA) is an EU regulation that comes into force in January 2025, but it also impacts UK companies.?

DORA’s remit will likely cover any UK financial firm that works with EU customers or does business with EU financial firms.?

This means that if you are an EU-facing UK bank, investment firm, fintech company or financial entity of more or less any kind (read a complete list of impacted business types here) or your business offers critical ICT services to EU financial entities, DORA compliance is probably going to be a top priority in 2024.

Of course, for some, mostly larger financial firms, the operational resilience actions that DORA mandates might already be in train. For others, especially for smaller financial firms, DORA brings new challenges around risk management, threat detection and incident reporting (which SenseOn can help with), and testing.?

In this short guide, we look at some of the most immediate DORA cybersecurity questions UK businesses will likely need to answer and explain how SenseOn is ready to help UK companies find and report incidents under DORA.

Important DORA UK Facts?

We’ve read through the current drafts of the DORA law and looked at some of the latest DORA guidance from firms like PWC and Deloitte.

Here is our assessment of what DORA will mean for UK companies.

DORA will apply to many UK businesses post-Brexit

If your UK business provides financial or critical ICT services to entities within the EU financial sector, DORA will apply to you.?

DORA overlaps with some existing UK regulations but does not share compliance

DORA shares some requirements with existing UK operational resilience frameworks like the FCA PS21/3. To become compliant with DORA, you can likely build on your existing scenario testing, dependency mapping and important business service identification work.

However, complying with existing UK standards is unlikely to mean being automatically compliant with DORA. If covered by DORA, you must understand the entire DORA regulation and do a thorough gap analysis.

UK businesses need to understand DORA’s five pillars

To take a very high-level view, DORA has five interlinked “pillars” detailing the capabilities financial services must have to resist cyber attacks.?

Covered UK businesses will need to:

• Establish robust ICT risk management frameworks.
• Manage third-party risks.
• Conduct regular digital operational resilience testing.
• Comply with strict incident reporting guidelines.
• Share threat intelligence with other FSIs.

Many small UK businesses will also be subject to DORA

DORA is an extremely broad piece of legislation. As well as major financial entities, all sizes of businesses that offer critical services to the EU financial sector are covered under this regulation.?

However, DORA’s requirements change based on the size and risk of the company. For example, microenterprises must only review their risk management frameworks periodically (instead of yearly).?

DORA has steep penalties for UK businesses

Failing to comply with DORA will cost 1% of your daily turnover for up to six months. It will also severely hamper your ability to access the EU market and your business reputation.?

Based on what happened with the GDPR, it is likely that DORA fines will a) be enforced heavily and b) increase with time.

DORA may affect your existing contracts with EU clients

DORA will likely require you to change parts of your contracts with any EU financial entity or other impacted businesses. For example, you might need to agree on new risk management and reporting standards.

Also, if your UK business is a critical third-party ICT service provider (CTTP) to EU clients, you might need to sign up for more new service level agreements (SLAs). These should include provisions for backup providers and compliance with additional regulatory standards.

A future UK version of DORA is likely

In 2022, various sources indicated that a UK equivalent of DORA was coming soon.?

While this has yet to emerge, it is likely that DORA compliance, mainly focusing on the management of third parties, is a good investment, even if you are not currently covered.

DORA enforcement is happening from January 2025

Although DORA entered into force on the 16th of January, 2023, it will only be enforced from the 17th of January, 2025.

How Can SenseOn Help with DORA?

For UK organisations aiming to comply with DORA, SenseOn can help implement the kind of comprehensive detection and response that DORA requires. SenseOn’s ability to give contextual insight into incidents can also decrease the time it takes to find and report on cyber incidents.?

Under DORA, financial entities must:

Have in place mechanisms to detect anomalous activities quickly and efficiently.?

→ SenseOn is a cybersecurity platform that combines the capabilities of EDR, NDR, UEBA, IDS, and SIEM to provide detailed visibility into an organisation’s entire digital estate (including endpoints, network, cloud, and investigator microservices) through a single console.?

SenseOn also uses a blend of detection methods (we call this “Detections-in-Depth”), including rules and signatures, user and entity behavioural analysis, supervised and unsupervised machine learning, and deception techniques.?

Define alert thresholds and criteria to trigger and initiate ICT-related incident response processes, including automatic alert mechanisms for relevant staff.?

→ SenseOn uses a unique technology called “AI Triangulation” to mimic how a human analyst thinks and acts when faced with alerts.?

Instead of flagging every single unusual event as suspicious (and overwhelming analysis), SenseOn looks at data across the organisation’s environment to see if there’s a potential correlation across events and compares them to real-world hypotheses through Expert Reasoning and Machine Reasoning frameworks.?

The result is that only alerts that are most likely to be genuine are flagged (others are recorded but not surfaced).

In cases of time-sensitive attacks like ransomware, SenseOn can also take automatic action to isolate infected devices to prevent the attack from spreading.?

Record ICT-related incidents and cyber threats to ensure root causes are identified, documented, and addressed & Establish systems to monitor, manage, log, classify, and report ICT-related incidents to regulators and potentially affected clients and partners.?

→ SenseOn maps suspicious events visually. Events are shown chronologically, with the relationship between affected devices mapped clearly. Each technique is also plotted against the MITRE ATT&CK framework to give security professionals a better idea of who is targeting them, what type of attack is underway, and what they need to do to stop it.?

Book a demo with SenseOn today to find out how we can help you find and report incidents under DORA.