Images are still loading please cancel your preview and try again shortly.
Accessibility tools

Operational Resilience

What is operational resilience?

Financial firms build resilience to withstand disruption to their business. New rules require UK firms and market infrastructure to prepare for incidents and remain within pre-identified and limited tolerances for failure. EU firms and FMI will need to manage their ICT risks under the DORA framework. Policymakers around the world are developing similar standards.

Explore our regulatory insights.

When do the rules apply?

The UK rules started to apply on 31 March 2022, although there is a transition period before firms and market infrastructure are required to remain within tolerance levels. The EU’s Digital Operational Resilience Act starts to apply in January 2025.

Visit our timeline which includes links to the key regulatory publications.

Podcasts series

We have a range of resources available on operational resilience including webinars which are available via our Knowledge portal. We have also launched a podcast series where our lawyers take a closer look at what operational resilience means for financial services firms.

Listen to our podcast.

How can we help?

We have a market-leading financial regulation practice which provides clients with risk advisory services. We also have one of the longest-standing privacy and cyber security practices in the world, with practitioners who not only understand data and crisis, but also technology and sourcing.

DORA Level 2 Measures Tracker

The EU’s Digital Operational Resilience Act starts to apply on 17 January 2025. Before then the European Supervisory Authorities and Commission need to finalise additional requirements under the DORA framework. The table below lists the technical standards and guidelines that clarify the requirements that financial entities and critical ICT third-party service providers must observe as they implement DORA and notes their current status. 

Document Status Date for text to be finalised
RTS on ICT risk management framework and simplified framework Final draft submitted to Commission 17 January 2024
RTS on criteria for classification of ICT-related incidents Final draft submitted to Commission 17 January 2024
ITS to establish the templates of register of information Final draft submitted to Commission 17 January 2024
RTS to specify the policy on ICT services performed by third-party providers Final draft submitted to Commission 17 January 2024
RTS on sub-contracting ICT services supporting critical or important function Draft – consultation open until 4 March 2024 17 July 2024
RTS on major ICT-related incidents and significant cyber threats reporting Draft – consultation open until 4 March 2024 17 July 2024
ITS on reporting details for major ICT-related incidents Draft – consultation open until 4 March 2024 17 July 2024
RTS specifying elements of threat-led penetration testing Draft – consultation open until 4 March 2024 17 July 2024
Guidelines on estimation of aggregated costs / losses caused by major ICT-related incidents Draft – consultation open until 4 March 2024 17 July 2024
Guidelines on cooperation of ESAs and competent authorities re. DORA oversight Draft – consultation open until 4 March 2024 17 July 2024
RTS on harmonisation of oversight conditions Draft – consultation open until 4 March 2024 17 July 2024
Feasibility report on further centralisation of incident reporting etc. Not yet published 17 July 2024
Delegated act on criteria for designating critical ICT service providers Act not yet in force 17 July 2024
Delegated act on oversight fees charged by Lead Overseer to critical ICT service providers Act not yet in force 17 July 2024

Financial Regulation Insights

Our new FRG blog where you will find insights, commentary and news on recent developments in financial regulation from our dedicated financial regulatory lawyers in London.

Explore the blog

Timeline and links to publications

×

October 2020 UK Consultations close

  • Consultation process ended on 1 October 2020

×

31 March 2022 UK Rules take effect

  • Deadline for identifying vulnerabilities in their operational resilience, identifying important business services, setting impact tolerances and carrying out mapping and testing.
  • Firms must remain within impact tolerances for each important business service as soon as possible after this date.

×

May 2022 EU concludes DORA talks

×

January 2023 EU finalises DORA

  • DORA enters into force

×

17 January 2025 EU rules under DORA to apply

  • DORA starts to apply two years after entry into force

×

31 March 2025 All UK rules to apply

    Longstop deadline for remaining within impact tolerances.

x Find a Lawyer