DORA Digest: February 2025

Summary: DORA’s Applicability and the FCA’s Operational Resilience in the UK

The Digital Operational Resilience Act (DORA) applied to financial institutions across the European Union starting January 17, 2025. DORA aims to enhance the ability of financial entities to withstand and recover from ICT disruptions. The regulation sets out detailed requirements covering governance, risk management, incident reporting, testing, and third-party oversight. DORA ensures that firms have robust measures in place to avoid, manage, and recover from ICT failures that could harm customers, market integrity, and financial stability. 
 
In the UK, the transition to a similar regulatory framework is aligned with the FCA’s Operational Resilience rules, which have been set to come into full force by March 31, 2025. These rules require UK financial institutions to identify and plan for their important business services, setting limits on how much disruption is acceptable and ensuring they can continue providing critical services even during operational failures. These new regulations align with global trends in enhancing financial sector stability by strengthening resilience against increasing cyber threats. 

Do DORA and FCA Operational Resilience Reduce the Likelihood or Impact of ICT Incidents? 

While regulations like DORA and the FCA’s Operational Resilience requirements represent significant strides toward improving the financial sector’s operational resilience, the question remains: do these regulations effectively reduce the likelihood and impact of ICT incidents?  
  
The answer is complex. Regulations such as DORA and the FCA’s rules establish important frameworks that require financial institutions to assess and address vulnerabilities in their ICT systems. The mandates for better risk management, comprehensive incident response plans, and testing requirements are designed to ensure that firms are more proactive in their approach to cyber threats and ICT disruptions.  
  
However, even with the most rigorous regulations, the likelihood of incidents such as cyberattacks or system failures cannot be entirely eradicated. The increasing sophistication of cyber threats means that while institutions may be better prepared to handle such incidents, they cannot guarantee prevention. However, the regulations are expected to reduce the likelihood of such disruptions as organisations mature their proactive risk management, limit the overall impact and improve the speed of recovery from incidents by ensuring that firms have designed and tested their response and recovery plans effectively.  

One of the potential understated benefits that we will hopefully realise, is reducing the knock effect on ICT operational resilience incident on interconnected businesses. With mandatory and detailed ICT incident reporting towards regulators, regulators would have tools and information to forewarn interconnected business about possible impact of ICT incident on them and additionally sharing learning of ICT incident more broadly or include it supervisory assessment to further reduce and limit the impact of an ICT operational resilience Incident.  

Barclays IT Incident: Fallout and Implications 

What Is the Barclays IT Incident?  
On January 31, 2025, Barclays faced a major IT outage that disrupted online and mobile banking, as well as payment processing. The incident, unrelated to a cyberattack, coincided with the HMRC self-assessment tax deadline, causing significant inconvenience. Customers struggled to access accounts, make payments, and view balances, affecting individuals and businesses alike. In response, Barclays extended call center hours, worked to process delayed payments, and assured customers they wouldn’t face financial loss. HMRC also delayed late payment penalties until March 1. By February 2, services were restored, though some customers experienced lingering balance update delays.  

Anecdotal impact of such incidents on end consumers as report in various media  

• A self-employed cleaner told BBC News she had been trying to access money with her partner from their savings account for several hours so she could buy milk for a baby and food for five other children she is looking after at home.  
• "I sat outside the new house with all belongings in a removal truck for over four hours but no alternative solution could be found," she told the BBC. The 61-year-old said she was in a hotel for the weekend and has "several thousand pounds more costs to incur" and "no friends free to help with the [house] removals if they go ahead on Monday".  
• "I have lost thousands of pounds due to my online store being unable to receive payments as we have a Barclays account,"  
• Businessman from Petworth, West Sussex, said on Saturday he has been unable to pay his staff or HMRC.  

Fallout of the Barclays IT Incident    
The Barclays’s incident highlighted, that such incidents do not only affects business in terms of losses there are real world implication on ability of people to live and survive through their day-to-day needs.  

The fallout from the Barclays IT incident was not confined to just the bank’s operations. It raised alarm bells throughout the UK financial sector, with regulators, clients, and investors questioning the resilience of the bank’s technology infrastructure.   

This rightly led to a formal inquiry by the UK Treasury Committee, which wrote to Barclays and other eight major banks in the UK, urging them to review their operational resilience and respond to concerns raised by the incident. The inquiry sought detailed answers on how these banks ensure the operational continuity of essential services, particularly in times of system failure.  
  
The Treasury Committee’s concerns centred around whether financial institutions were properly prepared for ICT failures, whether existing regulations were being followed, and whether banks were sufficiently transparent about their operational vulnerabilities. The committee emphasised the importance of robust systems to avoid such disruptions and ensure continuity of critical financial services.  

Key Questions for Barclays Bank by the Treasury Committee 
Following the incident, several questions were asked of Barclays that they need to answer, including:  

• Failure Overview – Details of the outage, its cause, customer impact, timeline, and affected banking channels (app, web, branch, ATM, cards). Also includes when services were restored.  
• Prevention Measures – Steps Barclays will take to avoid future outages.  
• Board Response – Actions taken by Barclays’ Board to address the incident.  
• Customer Impact – Number of affected customers, including vulnerable groups.  
• Complaint Management – Whether Barclays will proactively reach out to affected customers or rely on complaints being reported.  
• Compensation Estimate – Expected payouts and timeline for compensating customers.  
• Customer Service Response – Changes in response times and additional resources allocated.  
• Fraud Risk Management – How Barclays handled potential fraud during the outage and measures taken to assist affected customers.  
• Past IT Failures – Data on previous outages over the last two years, including duration and affected banking channels.  
• Customer Impact of Past Failures – Number of customers affected by each previous outage.  
• Past Compensation – Amount paid to customers due to IT failures in the past two years.  
• Failure Causes – Reasons behind Barclays’ previous IT failures.  

While we are awaiting the response from Barclays and the other 8 major banks, it is clear from the questions and focus, ensuring operational resilience is the one of the most important priority from judiciary and regulator. 

How Regulations Can Address These Questions and Enable Organisations to Become More Resilient
 

In principle, assuming Barclays bank are complying to operational resilience requirements and DORA, it should enable Barclays to respond to questions from the treasury committee transparently and effectively.

The implementation of DORA and the FCA’s Operational Resilience requirements represents a positive step toward strengthening the financial sector’s defence against ICT disruptions. While they cannot guarantee that incidents like the Barclays IT failure will never occur again, these regulations significantly improve the likelihood of reducing their impact. By mandating better risk management, resilience planning, and transparency, DORA and the FCA rules ensure that financial institutions are more prepared to handle and recover from ICT incidents swiftly and effectively, benefiting both firms and their customers in the long term.

Contact us to know more about how Thomas Murray can support your organisation in improving Operational Resilience and our DORA solution offer.