Operational Resilience

What is operational resilience?

Financial firms build resilience to withstand disruption to their business. New rules require UK firms and market infrastructure to prepare for incidents and remain within pre-identified and limited tolerances for failure. EU firms and FMI will need to manage their ICT risks under the DORA framework. Policymakers around the world are developing similar standards.

When do the rules apply?

The UK rules started to apply in 2022, although there is a transition period before firms and market infrastructure are required to remain within tolerance levels. The EU’s Digital Operational Resilience Act started to apply in January 2025.

Podcasts series

We have a range of resources available on operational resilience including webinars which are available via our Knowledge portal. We have also launched a podcast series where our lawyers take a closer look at what operational resilience means for financial services firms.

How can we help?

We have a market-leading financial regulation practice which provides clients with risk advisory services. We also have one of the longest-standing privacy and cyber security practices in the world, with practitioners who not only understand data and crisis, but also supply chain and procurement.

DORA Level 2 Measures Tracker

The EU’s Digital Operational Resilience Act starts to apply on 17 January 2025. Before then the European Supervisory Authorities and Commission need to finalise additional requirements under the DORA framework. The table below lists the technical standards and guidelines that clarify the requirements that financial entities and critical ICT third-party service providers must observe as they implement DORA and notes their current status.

Document	Status	Date
RTS on ICT risk management framework and simplified framework	Published in Official Journal	15 July 2024
RTS on criteria for classification of ICT-related incidents	Published in Official Journal	15 July 2024
ITS to establish the templates of register of information	Published in Official Journal	2 Dec 2024
RTS to specify the policy on ICT services performed by third-party providers	Published in Official Journal	15 July 2024
RTS on sub-contracting ICT services supporting critical or important functions	Published in Official Journal	2 Jul 2025
RTS on major ICT-related incidents and significant cyber threats reporting	Published in Official Journal	20 Feb 2025
ITS on reporting details for major ICT-related incidents	Published in Official Journal	20 Feb 2025
RTS specifying elements of threat-led penetration testing	Published in Official Journal	18 Jun 2025
Guidelines on estimation of aggregated costs / losses caused by major ICT-related incidents	Finalised	17 July 2024
Guidelines on cooperation of ESAs and competent authorities re. DORA oversight	Finalised	6 Nov 2024
RTS on harmonisation of oversight conditions	Published in Official Journal	13 Feb 2025
RTS on composition of joint examination team	Published in Official Journal	24 Mar 2025
Delegated act on criteria for designating critical ICT service providers	Published in Official Journal	19 June 2024
Delegated act on oversight fees charged by Lead Overseer to critical ICT service providers	Published in Official Journal	19 June 2024
Report on the feasibility for further centralisation of reporting of major ICT-related incidents	Published by ESAs	17 Jan 2025
ESAs Guide on Oversight Activities	Published by ESAs	15 Jul 2025

Loading component...

Financial Regulation Blog

Our FRG blog where you will find insights, commentary and news on recent developments in financial regulation from our dedicated financial regulatory lawyers in London.

Explore our blog