Operational Resilience
What is operational resilience?
Financial firms build resilience to withstand disruption to their business. New rules require UK firms and market infrastructure to prepare for incidents and remain within pre-identified and limited tolerances for failure. EU firms and FMI will need to manage their ICT risks under the DORA framework. Policymakers around the world are developing similar standards.
When do the rules apply?
The UK rules started to apply in 2022, although there is a transition period before firms and market infrastructure are required to remain within tolerance levels. The EU’s Digital Operational Resilience Act started to apply in January 2025.
Visit our timeline which includes links to the key regulatory publications.
Podcasts series
We have a range of resources available on operational resilience including webinars which are available via our Knowledge portal. We have also launched a podcast series where our lawyers take a closer look at what operational resilience means for financial services firms.
How can we help?
We have a market-leading financial regulation practice which provides clients with risk advisory services. We also have one of the longest-standing privacy and cyber security practices in the world, with practitioners who not only understand data and crisis, but also technology and sourcing.
DORA webinar: How DORA is impacting UK operational resilience rules
Monday 10 February 2025, 14:00 to 15:00 GMT
Location: Virtual
Our series of webinars on the EU’s Digital Operational Resilience Act returns. In this webinar we will provide an update on the latest regulatory developments and a look ahead to what happens next now that DORA is in effect.
DORA webinar: What lawyers need to know about the DORA register
Wednesday 20 November 2024, 10:00 to 11:00 GMT
Location:
In the latest instalment of our DORA webinar series we explore the register of information and how regulators and firms will use it to build operational resilience in the financial sector.
DORA webinar: Getting your contracts DORA-ready
Monday 23 September 2024, 12:00 to 13:00 GMT
Location: Global
The EU’s Digital Operational Resilience Act requires financial firms to reassess their arrangements with technology providers. With only a few months to go before DORA starts to apply, updating contracts in time for the January deadline is a priority. In the next instalment of our series of webinars on DORA we will:
- Give an update on the latest regulatory developments from over the summer
- Look at DORA’s requirements for contracts, including those beyond Article 30
- Discuss how to manage third party risks, including supply chain risks
DORA Level 2: How to respond to the latest technical standards
Tuesday 23 July 2024, 12:00 to 13:00 BST
Location: Virtual
The next instalment in our DORA webinar series will mark six months to go before the EU’s Digital Operational Resilience Act starts to apply. The European Supervisory Authorities are about to put the finishing touches to their second batch of DORA technical standards. These will include important rules for financial firms and their tech providers on sub-contracting, incident reporting and threat-led penetration testing.
Join us for this webinar in which we will outline what the technical standards aim to do, how the draft texts have changed and what happens next.
DORA deep dive: Open questions for EU operational resilience rules
Thursday 20 June 2024, 12:00 to 13:00 GMT
Location: Virtual
Financial firms and their tech providers are accelerating their implementation of the EU’s Digital Operational Resilience Act. But as we rapidly approach January’s DORA deadline, important legal questions remain outstanding. How you approach these issues will have a meaningful impact on your DORA projects and ongoing compliance.
Join us for this webinar on 20 June, 12:00 BST on how DORA applies to delegated financial services, the scope of ICT services and critical or important functions and how firms and ICT service providers should approach the rules on subcontracting.
What does DORA mean? A recap of new EU rules on operational resilience
Thursday 16 May 2024, 14:00 to 15:00 GMT
Location: Virtual
As the clock ticks down to the 17 January 2025 deadline, implementation projects are moving into a critical stage and more people are having to grapple with what DORA means in practice. Join us on 16 May for a webinar during which we will give an introduction to the regime and the key points for you to note.
Asset Management Spotlight: DORA in focus in Ireland and Luxembourg
Thursday 21 March 2024, 12:00 to 13:00 GMT
Location: Virtual
There is less than a year left for asset managers to prepare for the EU’s Digital Operational Resilience Act. Join us on 21st March, 12:00 for this Asset Management spotlight virtual session where Raza Naeem and Marie-Christine O’Mahony (Linklaters) and Sarah Thompson and Ian Duffy (Arthur Cox) will discuss key aspects of the upcoming DORA regime; the interplay of the new rules with existing rules and guidance in Luxembourg and Ireland; and the key considerations for asset management firms as they continue their implementation journeys.
DORA Level 2: How the technical standards impact you
Wednesday 31 January 2024, 12:30 to 13:30 GMT
Location: Virtual
Join us for this webinar on 31 January at 12:30 GMT in which we will work through the draft DORA Level 2 regulatory technical standards and implementing technical standards, highlight recent changes to these RTS and ITS and look ahead to what firms need to do next.
UK financial regulators draft rules for critical service providers
11 December 2023
In a consultation the UK financial regulators have proposed rules for providers of critical services to the financial sector. The FCA, PRA and Bank of England explain how service providers will be designated as critical and the rules that would apply to these critical third parties.
DORA: EU explores new territory with operational resilience rules
17 October 2023
This guide to DORA summarises the EU's Digital Operational Resilience Act. It provides an overview of the requirements for financial entities and providers of ICT services.
What do the DORA technical standards mean for you?
Wednesday 19 July 2023, 12:00 to 13:00 GMT
Location: Virtual
Thank you for joining our DORA technical standards webinar during which we walked through the RTS and ITS, highlighting the practical implications for your business, and talked about what an effective DORA implementation plan looks like.
This webinar was of interest to all EU financial entities, including banks, insurers, asset managers and payments firms, as well as firms providing ICT services to the financial sector.
DORA Explored: How the EU’s rules for digital operational resilience affect you
Tuesday 4 October 2022, 09:00 to 10:00 GMT +1
Location: Global
The financial services sector has gone digital. The technology that firms rely on brings benefits but also introduces new risks when firm’s operations are disrupted. To address this, the EU is expected to finalise a digital operational resilience act in the coming weeks.
Known as DORA, the new regulation will require practically all financial entities in the EU to apply uniform standards for managing ICT risks. Join our webinar to hear our panel of experts discuss what DORA does, what happens next and experiences of implementing the equivalent UK requirements.
US: Congress passes new cyber incident reporting requirement
15 March 2022
The Cyber Incident Reporting for Critical Infrastructure Act has been unanimously approved by the U.S. Senate. This requires critical infrastructure entities and federal agencies to report significant cyber incidents within 72 hours of the incident and within 24 hours if a ransomware payment was made.
Global Tensions Trigger Surge in Cyber Attacks: 5 Key Preparedness Steps
25 February 2022
In the past few weeks, governments around the world, including the UK, US, Australia and New Zealand, have issued warnings that Russia’s invasion of Ukraine could lead to intentional or spillover cybersecurity attacks on organizations outside the region. It Is clear from our conversations with third parties and our threat intelligence partners that there is without a doubt increased malware activity, as well as scans targeting corporations.
US: Today’s cyber threat is far from over…and the SEC knows that
26 January 2022
Russia’s crackdown on hacker group, REvil, is a good sign but days later Ukrainian government sites were taken down, allegedly by Russian hackers. The link between cybersecurity and US national interest has not escaped the SEC who are expected to continue to take a tough stance on cybersecurity.
UK: Telecommunications (Security) Act 2021 heralds a step change in cyber laws
25 November 2021
The Telecommunications (Security) Act 2021 is likely to impose some of the world’s toughest cyber security obligations. We consider the reasons for this step change and the practical compliance challenges.
As Cyber Threats Grow, So Do Your Compliance, Litigation and Arbitration Risks: Are you Ready?
23 November 2021
In our eighth webinar of the Global Business Crime Outlook Series, we will be discussing a range of topics including compliance, litigation and arbitration in the event of a cyber-attack with a particular focus on Latin America.
How AI in financial services is regulated in the UK
7 October 2021
Using artificial intelligence in the financial sector requires careful consideration of the regulatory framework. For example, UK firms deploying AI must take into account not only high-level principles, activity-specific rules and their reliance on third parties, but also how the novel features of AI models interact with individual accountability requirements.
US - The SEC makes its mark on cyber
2 September 2021
The SEC is done playing around. This summer it has demonstrated its resolve bringing actions against public companies for alleged poor disclosures, and against SEC registrants for alleged poor cybersecurity controls.
US - NYDFS Issues Ransomware Guidance: What’s a Lawyer to Do?
22 July 2021
The New York Department of Financial Services has joined the fight against ransomware issuing guidance to assist companies prepare and respond to ransomware. We consider the lawyer’s role in responding to this guidance.
UK’s operational resilience plans and how they impact fintech
24 June 2021
UK challenger banks, e-money firms and payment institutions are among those who need to be ready by 31 March 2022.
5 Steps You Can Take Today to Improve Your Organization’s Cybersecurity Preparedness
28 June 2021
Our global cybersecurity team shares 5 key steps you can take today to improve your organization's cybersecurity.
Timetable set for financial firms to bounce back from business disruption
20 April 2021
The UK financial services regulators have put the final touches to their new set of rules on operational resilience. Firms have been given one year to get ready before the regime starts to apply.
Operational Resilience: Firms told to build their bouncebackability
29 March 2021
Nearly three years in the making, the FCA, PRA and Bank of England have finalised their proposed rules on operational resilience. The first key deadline for compliance is 31 March 2022.
Approaching the UK’s operational resilience reforms: How to ensure you do it once and do it right
25 March 2021
In this speech at the OpRisk Global conference, Julia Dixon and Pansy Wong share their insights on how financial institutions can set themselves up for success when implementing their Operational Resilience Programs.
What a review of IT upgrades says about FCA’s plans for operational resilience
19 March 2021
Nothing causes as much despair in the world of IT as an “upgrade” that goes wrong. For a financial services firm, a failed IT upgrade can cause severe disruption to customers and so the UK Financial Conduct Authority (FCA) has recently looked at how financial services firms update their technology. Its findings are a prelude to incoming rules on operational resilience.
How the EU plans to use DORA to build operational resilience in financial services
18 March 2021
As technology entrenches itself in financial services, policymakers are looking more closely at the sector’s exposure to the risks of digitalisation. In this briefing we summarise the European Commission’s proposals for a Digital Operational Resilience Act, known as DORA, which would apply to not only EU financial entities but also some technology service providers.
Operational resilience in a nutshell
18 March 2021
The incoming UK operational resilience regime represents a major exercise in regulatory change management. This one-pager provides a high level overview of the main rules, key defined terms and upcoming dates.
Operational resilience: A case study for Boards
10 March 2021
The UK regulators are preparing to require firms to embed an operational resilience framework within BAU operations by 2024. The three-year transition hints at the significant design and implementation work that will need to be completed. This regulatory change, which comes hot on the heels of recent high-profile disruption in financial services and the Covid-19 pandemic, makes operational resilience the perfect case study when it comes to considering effective Board oversight and governance.
Five lessons for firms’ operational resilience planning from the FCA’s review of technology change
9 February 2021
The FCA is due to finalise new requirements on operational resilience which will impact a broad range of UK financial institutions. Before then, it has released its findings from a review on how financial firms manage, or in some cases fail to manage, IT upgrades and other technology changes. In this summary we highlight some of the FCA’s findings and suggest lessons for firms to build into their operational resilience planning
Financial Regulation Insights
Our new FRG blog where you will find insights, commentary and news on recent developments in financial regulation from our dedicated financial regulatory lawyers in London.
Timeline and links to publications
December 2019 UK Consultation Papers
- FCA Speech: The View from the Regulator on Operational Resilience
- BoE/PRA/FCA Joint Forward: Building Operational Resilience – Impact Tolerances for Important Business Services
- FCA Consultation Paper: CP19/32 on Buidling Operational Resilience
- PRA Consultation Paper: CP29/19 on Building Operational Resilience
- PRA Consultation Paper: CP30/19 on Outsourcing and Third Party Risk
- BoE Consultation Paper: Operational Resilience for Central Counterparties (CCPs)
- BoE Consultation Paper: Operational Resilience for Recognised Payment System Operators and Specified Service Providers
- BoE Consultation Paper: Operational Resilience for Central Securities Depositories (CSDs)
October 2020 UK Consultations close
- Consultation process ended on 1 October 2020
March 2021 UK Final rules
- BoE/PRA/FCA Joint Policy Paper on Operational Resilience
- FCA Policy Statement: PS21/3 Building Operational Resilience
- PRA Policy Statement: PS6/21 Operational Resilience: Impact Tolerances for Important Business Services
- PRA Supervisory Statement: SS2/21 Outsourcing and Third Party Risk Management
- Bank of England Policy Statements
31 March 2022 UK Rules take effect
- Deadline for identifying vulnerabilities in their operational resilience, identifying important business services, setting impact tolerances and carrying out mapping and testing.
- Firms must remain within impact tolerances for each important business service as soon as possible after this date.
January 2023 EU finalises DORA
- DORA enters into force
13 December 2024 UK consultations open
17 January 2025 EU rules under DORA to apply
- DORA starts to apply two years after entry into force
13 March 2025 UK consultations close
- Deadline for responding to FCA, PRA and Bank of England consultations on operational incident and third party reporting
31 March 2025 All UK rules to apply
- Longstop deadline for remaining within impact tolerances.
