UK Trends and Developments Contributed by: Alison Beal, Joel Harrison and Michelle Kirschner, Gibson, Dunn & Crutcher LLP
Operational Resilience The UK’s operational resilience regime under the Financial Conduct Authority (FCA), Prudential Regu - lation Authority (PRA) and Bank of England – imple - mented through FCA Policy Statement PS21/3: Build - ing Operational Resilience, the FCA Handbook rules (including SYSC 15A on Operational Resilience) and associated PRA Supervisory Statements SS1/21 – takes an outcomes-focused approach that requires firms to identify important business services, set impact tolerances and test their ability to remain within those tolerances during severe but plausible disruptions. The UK’s initial implementation deadline passed in March 2022, with firms expected to be able to remain within impact tolerances by 31 March 2025. By comparison, the EU’s Digital Operational Resilience Act (DORA), which has applied from Janu - ary 2025, sets a prescriptive, harmonised framework for ICT risk governance, incident classification and reporting, resilience testing, and oversight of critical third-party providers across the EU. DORA is express - ly focused on ICT risk, whereas the UK framework is broader and technology-agnostic, addressing conti - nuity of important business services regardless of the source of disruption (including non-ICT causes such as people, process or facilities). While the UK regime primarily applies to FCA and PRA authorised firms, it also captures non-UK groups and service providers in practice. This means that UK- authorised subsidiaries and UK branches of overseas firms must meet the UK operational resilience and outsourcing requirements, and UK-regulated firms are expected to flow down access, audit, informa - tion, security, sub-outsourcing and exit provisions to third-country providers through contracts and intra - group arrangements. In parallel, the EU’s DORA pri - marily applies to EU-authorised financial entities but has practical reach beyond the EU in two ways. First, EU firms increasingly require group-level policies and contractual commitments that reflect DORA’s ICT governance, testing and reporting standards, meaning UK and other third-country groups that provide ser - vices into the EU or operate via EU entities will need to evidence DORA-aligned controls in their policies and contracts (including intragroup arrangements). Sec - ond, DORA establishes EU-level oversight of any ICT third-party provider designated as “critical”, regard -
less of domicile; as a result, certain non-EU providers – including UK-based ICT and cloud providers – may be brought within direct EU supervisory oversight if designated. In addition, the statutory regime under the Financial Services and Markets Act 2023 enables the designa - tion and UK-level oversight of third parties that are “critical” to the finance sector – potentially including non-UK providers – so that minimum resilience stand - ards can be set and tested irrespective of the pro - vider’s domicile. Cross-border groups therefore often implement UK-aligned policies and testing standards at group level to evidence compliance in the UK while co-ordinating with DORA where relevant. The UK regime – set out across the FCA Handbook and the PRA Rulebook – places the emphasis on resil - ience outcomes: continuity of important business ser - vices within impact tolerances, supported by govern - ance, mapping, scenario testing and remediation to address vulnerabilities. It is complemented by detailed FCA and PRA expectations on outsourcing and third- party risk management. By contrast, DORA prescribes standardised obligations for ICT risk management, incident classification and reporting, resilience testing and oversight of ICT third-party risk, and establishes an EU-level oversight regime for critical ICT third-party providers co-ordinated by the European Supervisory Authorities. Both frameworks share a common aim: ensuring that disruptions – whether cyber, technologi - cal or operational – do not compromise firms’ ability to serve clients or threaten financial stability. As a result, firms are reshaping outsourcing and third- party risk frameworks to meet UK expectations, with cross-border alignment with DORA where relevant. In practice, UK-regulated firms are focusing on clear - er classification of services as critical or important; strengthening access, audit, information and ter - mination rights; maintaining registers of third-party arrangements; and demonstrating that data, systems and recovery arrangements are segregated, tested and operationally independent. DORA goes further by prescribing minimum contractual elements for ICT services – covering access, audit, information, resilience and testing obligations, sub-outsourcing controls, data and security requirements, termination
85 CHAMBERS.COM
Powered by FlippingBook