Regulatory Momentum on Cyber Risk and Operational Resilience
Welcome to our first 'Compliance Digest' – we've given the DORA digest a fresh new name and a broader focus. This regular newsletter now covers all the relevant regulation, industry best practices, standards, and frameworks.
Over the past few years, regulatory activity around cyber risk and operational resilience has intensified across the UK, EU, and globally. Regulators are responding to the evolving threat landscape with robust frameworks designed to safeguard critical sectors, most notably finance.
This year we have seen:
DORA enter into application on 17 Jan 2025 for financial entities in EU and some EEA countries timelines and expectations.
PS21/3: Building operational resilience transition period come to an end on 31 March 2025.
The EU’s NIS2 directive transposed by member states, but as most countries were late in implementing it, full and uniform enforcement across the EU is still ongoing.
Progress on the UK’s Cyber Security and Resilience Bill, signalling a strong commitment to keeping pace with European standards.
The release of the CRA compliance matrix, providing practical tools for organisations to benchmark their preparedness.
Learn more about these regulations below.
Spotlight on DORA: Setting the Standard in the EU
The Digital Operational Resilience Act (DORA) is now at the forefront of the EU’s regulatory agenda. DORA establishes a harmonised approach to ICT risk management for financial entities, mandating comprehensive frameworks for risk identification, incident reporting, and third-party risk management.
To learn more about DORA, please have a look at our extensive coverage in our DORA Digest.
UK Equivalent: PS21/3: Building Operational Resilience in Finance
The UK has established a robust regulatory framework for operational resilience in financial services, designed to both mirror and, in key respects, exceed the ambition of the EU’s DORA regime. The Bank of England, Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) have jointly prioritised this area through coordinated policy statements, culminating in FCA Policy Statement PS21/3: “Building Operational Resilience”.
What is the Purpose and Scope of PS21/3?
PS21/3 aims to ensure that UK financial institutions can prevent, respond to, recover from, and learn from operational disruptions, whether caused by cyber-attacks, technology failures, or external events.
PS21/3 shifts the regulatory focus from traditional risk management to building genuine operational strength and readiness for inevitable disruptions. It encourages firms to prioritise critical services, invest in resilience, and adopt a proactive approach to risk, ultimately protecting consumers, markets, and the wider economy.
Key Requirements and Timelines
Firms in scope were required to achieve full compliance by 31 March 2025. The main requirements were:
Identify Important Business Services: Firms must determine which services, if disrupted, could cause intolerable harm to clients or pose a risk to the UK financial system’s soundness or stability.
Set Impact Tolerances: For each important business service, firms must define the maximum tolerable level of disruption, measured by time and other relevant metrics.
Mapping and Testing: Firms must map the people, processes, technology, facilities, and information necessary to deliver each important business service, identifying vulnerabilities and remedying them as appropriate. They must conduct scenario testing against severe but plausible disruptions to ensure services can remain within impact tolerances.
Continuous Improvement: Firms are expected to regularly review and enhance their operational resilience, investing in systems and processes to address identified vulnerabilities and maintain compliance.
Governance and Reporting: Senior management and boards are responsible for embedding operational resilience into the firm’s culture and must report any inability to remain within impact tolerances to the FCA.
PS21/3 is tailored specifically for the UK financial sector and is granular in its requirements for identifying and protecting critical business services. UK firms with cross-border operations may find that compliance with PS21/3 supports alignment with DORA, particularly in areas such as cyber risk management, testing, and supply chain security.
Beyond Finance: NIS2 and Critical Sectors
Recognising that cyber threats extend far beyond finance, the EU has also introduced the NIS2 Directive, a DORA-like regulation aimed at enhancing the cyber resilience of operators in critical sectors such as energy, transport, health, and digital infrastructure. NIS2 expands the scope of entities covered, tightens incident reporting timelines, and requires more rigorous supply chain risk management.
The NIS2 Directive directly influences how institutions
Safeguard sensitive financial data.
Maintain operational resilience.
Manage third-party risks.
It introduces stringent requirements for financial institutions, including
Enhanced cybersecurity risk management.
Stricter incident reporting timelines.
Comprehensive supply chain security measures.
Organisations must
Implement robust governance frameworks.
Conduct regular risk assessments.
Ensure continuous monitoring of both internal systems and third-party providers.
Additionally, NIS2 mandates clear accountability at the senior management level and demands thorough documentation of all cybersecurity policies and incidents.
We offer bespoke solutions to help financial institutions navigate these complex requirements. With expert risk assessments, real-time monitoring tools, and tailored compliance support, Thomas Murray enables organisations to meet NIS2 obligations efficiently and confidently, reducing regulatory risk and strengthening overall cyber resilience. Learn more about our NIS2 offering.
UK Cyber Security and Resilience Bill: Key Proposed Changes
The UK is responding in kind with the forthcoming Cyber Security and Resilience Bill, which will serve as the domestic equivalent to NIS2. This legislation is expected to impose similar obligations on UK operators of essential services, ensuring alignment with international best practices and maintaining the UK’s reputation as a safe place to do business.
Proposed Changes in the Cyber Security and Resilience Bill
Expands regulatory scope to include more sectors, MSPs, data centres, and critical suppliers.
Aligns UK cyber laws with the EU’s NIS2 Directive.
Imposes stronger supply chain security duties on regulated organisations.
Enhances regulators’ powers for investigations, enforcement, and cost recovery.
Updates and broadens incident reporting requirements and timelines.
Designates data centres above capacity thresholds as critical infrastructure.
Enables dynamic updates to guidance for emerging threats, including AI.
ICO to regulate MSPs with enforcement authority.
Supports cyber resilience as a driver of innovation and economic growth.
Read more about the Cyber Security and Resilience Bill on the UK Government’s website.
Additional measures under consideration include:
Bringing data centres fully into scope.
New government powers to set strategic priorities.
Requirements for urgent action in response to national security threats.
The EU Cyber Resilience Act (CRA): Raising the Bar
The Cyber Resilience Act (CRA) establishes mandatory cybersecurity requirements for manufacturers, retailers, and suppliers of hardware and software products with digital elements in the EU. These requirements span the entire product lifecycle, obligating manufacturers to integrate cybersecurity into the planning, design, development, and ongoing maintenance of their products.
Key obligations include
conducting risk assessments
implementing robust security controls
monitoring for vulnerabilities
providing timely security updates throughout the defined support period.
Manufacturers must also ensure clear communication to end-users about cybersecurity features and provide instructions for secure use.
Additionally, the CRA requires manufacturers to undergo conformity assessments before products can be marketed in the EU. This can be done through self-assessment or third-party certification, depending on the product’s risk profile. Products that meet these standards will bear the CE marking, indicating compliance.
The Act also mandates incident reporting and transparency around vulnerabilities, ensuring that both authorities and consumers are promptly informed of significant security issues. Non-compliance can result in substantial fines, market restrictions, or product recalls, making adherence to the CRA a critical business obligation for all relevant stakeholders. Read more about The Cyber Resilience Act.
Key Themes Across Regulations
Across these frameworks, several common requirements are emerging that are fundamental in managing adverse impact of cyber threats:
Implementing risk management frameworks.
Regular vulnerability testing and swift remediation.
Prompt, transparent incident management and reporting.
Stronger third-party and supply chain risk management.
A Strategic Imperative for Boards
These regulatory developments mark a paradigm shift. Investment in operational resilience and cyber security is now a strategic imperative for boards and senior management, rather than a discretionary decision.
Regulators are encouraging, and in some cases requiring, alignment with global best practice standards such as ISO 27001 and the NIST Cybersecurity Framework—often going further by mandating continuous improvement and a proactive security culture.
In summary: The regulatory landscape is evolving at pace. Organisations that invest in robust operational resilience and cyber security measures will be best placed to thrive in this environment. Now is the time to ensure your frameworks, processes, and culture are not only compliant but also resilient and future-ready.
Cyber Risk
We bring the best of our collective experience, energy and creative power to fiercely safeguard our clients and fortify their communities.
DORA Digest Newsletter
Subscribe to Compliance Digest and stay up to date with regulations affecting the finance sector.
