Further Reading
Chapter 33: Cybersecurity Regulations — DORA, NIST, and Operational Resilience
Essential Reading
DORA — Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector The full text of DORA, as published in the Official Journal of the European Union on 27 December 2022, applicable from 17 January 2025. Chapter 33 focuses on: Title II (ICT Risk Management Framework, Articles 5–16); Title III (ICT Incident Management and Reporting, Articles 17–23); Title IV (Digital Operational Resilience Testing, Articles 24–27); and Title V (ICT Third-Party Risk Management, Articles 28–44). Every practitioner working with EU-regulated financial entities must read the regulation itself, not only secondary commentary on it. Available via EUR-Lex at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R2554
FCA/PRA Policy Statement PS21/3 — Building Operational Resilience (March 2021) The foundational UK document establishing the operational resilience framework, including PRA Supervisory Statement SS1/21. PS21/3 introduces the core concepts of important business services, impact tolerances, and the self-assessment requirement. It sets the expectation — confirmed as a binding obligation from 31 March 2025 — that all in-scope firms must demonstrate the ability to remain within their stated impact tolerances during severe but plausible disruption scenarios, including cyber attack scenarios. Available via the Bank of England at: https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/building-operational-resilience
NIST Cybersecurity Framework 2.0 (February 2024) The definitive text of CSF 2.0, updated from the original 2014 framework and the 2018 Version 1.1. The 2024 update adds the Govern function as the sixth core function, substantially expands supply chain risk management guidance, and provides implementation examples for each subcategory. The framework is the dominant global reference for structuring cybersecurity programmes and, increasingly, for structured regulatory dialogue between firms and supervisors. Available at: https://www.nist.gov/cyberframework — the website includes the core framework, implementation guidance, reference tool, and mapping tables to ISO 27001 and other international standards.
For Practitioners
Joint ESA DORA Regulatory Technical Standards Package (2024) The European Supervisory Authorities (EBA, EIOPA, ESMA) published the DORA RTS package in 2024, comprising: RTS on major incident classification (specifying the precise criteria — transaction volumes, client numbers, duration, geographic spread — that determine when an incident must be classified as major); RTS on ICT risk management (specifying the content requirements for the ICT risk management framework); RTS on TLPT (Threat-Led Penetration Testing, specifying the scope, methodology, certification requirements, and sharing of TLPT results); and RTS on ICT third-party risk (specifying the minimum content of DORA Article 30 contracts). The RTS are the operational layer of DORA — the regulation sets the obligation; the RTS define how to meet it. Available via the EBA's DORA page at: https://www.eba.europa.eu/regulation-and-policy/operational-resilience/digital-operational-resilience-act-dora
BIS Principles for Operational Resilience (March 2021) The Basel Committee on Banking Supervision's principles, published simultaneously with the UK PS21/3, establishing a globally consistent framework for operational resilience in banking. The BIS principles cover: sound governance and culture; operational risk management; business continuity planning; mapping of interconnections and interdependencies; third-party dependency management; and incident management. The principles are not legally binding but are highly influential in shaping regulatory expectations internationally and provide useful framing for Board-level governance of cyber resilience. Available at: https://www.bis.org/bcbs/publ/d516.htm
ENISA DORA Implementation Guidance and Technical Reports The EU Agency for Cybersecurity (ENISA) publishes technical guidance supporting DORA implementation, including: mapping of DORA requirements to existing cybersecurity standards (ISO 27001, NIST CSF, COBIT); guidance on ICT third-party risk management under DORA; and the annual ENISA Threat Landscape for Financial Services. ENISA's guidance is particularly useful for firms that need to integrate DORA compliance with existing cybersecurity frameworks rather than building a separate DORA-specific programme. Available at: https://www.enisa.europa.eu/topics/critical-information-infrastructures-and-services/finance
Allen & Overy and Herbert Smith Freehills — DORA Implementation Practitioner Guides Both major international law firms have produced publicly available practitioner-level DORA implementation guides covering: the contract remediation obligation under Article 30; ICT incident classification in practice; the TLPT process and firm selection criteria; the scope of DORA's application to non-EU firms with EU operations; and the interaction between DORA and the UK CTP regime. These guides are updated as technical standards are finalised and are freely accessible on firm websites. Allen & Overy: https://www.allenovery.com; Herbert Smith Freehills: https://www.herbertsmithfreehills.com
Technical Foundations
NIST SP 800-61 Rev. 3 — Computer Security Incident Handling Guide NIST's primary guidance on building and operating a computer security incident response capability. Covers the incident response lifecycle: preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity. The guide provides the methodological foundation for the incident response procedures that DORA, the FCA framework, and GDPR all implicitly require firms to maintain. Particularly valuable for compliance teams seeking to understand the technical response process well enough to integrate regulatory notification obligations into it. Available at: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r3.pdf
ISO/IEC 27001:2022 — Information Security Management Systems The international standard for information security management, widely adopted in EU and UK financial services as the baseline certification for ICT security. ISO 27001:2022 is referenced in DORA's RTS on ICT risk management and is accepted by the FCA and PRA as evidence of strong security controls. Understanding ISO 27001's structure — its risk assessment methodology, control domains, and certification process — helps compliance professionals understand what "appropriate technical and organisational measures" means in practice, both under GDPR Article 32 and under DORA's ICT risk management requirements. Available via the ISO at: https://www.iso.org/standard/27001
TIBER-EU Framework — Threat Intelligence-Based Ethical Red Teaming The European Central Bank's framework underpinning DORA's TLPT requirements, built on a three-phase methodology: threat intelligence assessment (producing a tailored threat landscape for the tested entity); red team testing (simulating the tactics, techniques, and procedures of identified threat actors); and closure (report, remediation, and results sharing with the competent authority). DORA's TLPT RTS is built on TIBER-EU. Practitioners involved in managing TLPT programmes must understand both the TIBER-EU methodology and the firm-specific adaptations introduced by the DORA RTS. Available at: https://www.ecb.europa.eu/paym/cyber-resilience/tiber-eu/html/index.en.html
Regulatory Primary Sources
| Document | Jurisdiction | Key Requirement |
|---|---|---|
| DORA — Regulation (EU) 2022/2554 | EU / EEA; applicable from 17 January 2025 | ICT risk management framework with Board accountability (Art. 5–16); major incident classification and three-stage reporting 4h/72h/30 days (Art. 17–23); TLPT at least every 3 years for significant entities (Art. 24–27); ICT third-party risk management including mandatory contract provisions and CTP oversight (Art. 28–44) |
| FCA/PRA Policy Statement PS21/3 | United Kingdom; "remain within tolerance" obligation from 31 March 2025 | Identify important business services; set impact tolerances; map dependencies; conduct scenario testing including cyber scenarios; produce annual self-assessment; notify FCA of material tolerance breaches under PRIN 11 |
| PRA Supervisory Statement SS1/21 | United Kingdom | PRA's detailed expectations for PRA-regulated firms on operational resilience, including cyber resilience; treatment of third-party dependencies; Board engagement requirements |
| UK GDPR / Data Protection Act 2018 | United Kingdom (post-Brexit equivalent of EU GDPR) | Personal data breach notification to ICO within 72 calendar hours of controller becoming aware; notification to affected individuals without undue delay where high risk; appropriate technical and organisational security measures under Article 32 |
| EU GDPR — Regulation (EU) 2016/679 | EU / EEA | Same 72-hour breach notification obligation to relevant national DPA; obligation on data processors to notify controllers without undue delay (GDPR Article 28(3)(f)); appropriate security measures |
| NIS2 Directive — Directive (EU) 2022/2555 | EU / EEA; lex specialis: financial entities covered by DORA deemed compliant with equivalent NIS2 obligations | Cybersecurity risk management measures for essential and important entities; significant incident notification: 24-hour early warning, 72-hour notification, 30-day final report; supply chain security |
| FSMA 2023 — Critical Third Party Regime | United Kingdom | Allows HM Treasury (on FCA/PRA/BoE recommendation) to designate technology providers as Critical Third Parties; subjects designated CTPs to minimum resilience standards, regulatory testing, and direct oversight; financial entities must maintain CTP registers and adequate contractual protections |
| NIST Cybersecurity Framework 2.0 | United States; globally adopted as best practice; referenced in FFIEC, OCC, FDIC, and Federal Reserve guidance | Six core functions: Govern, Identify, Protect, Detect, Respond, Recover; implementation tiers; cybersecurity profile; supply chain risk management subcategories |
| FINRA Rule 4370 | United States | Member firms must maintain written business continuity plans; material systems disruptions must be reported to FINRA; plans must be reviewed and updated at least annually; must address significant business disruptions and identify how the firm will continue business operations |
| SEC Cybersecurity Rules (17 CFR Parts 229, 232, 239, 240, 249) | United States; effective from December 2023 | Registrants must disclose material cybersecurity incidents on Form 8-K within 4 business days of determining materiality; annual disclosure of cybersecurity risk management processes and Board oversight on Form 10-K |
Online Resources
ENISA — European Union Agency for Cybersecurity ENISA's primary website for financial services cybersecurity, including the annual Threat Landscape report, DORA implementation technical guidance, and sector-specific incident analysis. Updated continuously. https://www.enisa.europa.eu/topics/critical-information-infrastructures-and-services/finance
NCSC — UK National Cyber Security Centre The UK's national cybersecurity authority, a part of GCHQ. Publishes sector-specific threat assessments for the UK financial sector, practical cybersecurity guidance for regulated firms, CBEST framework documentation, and active threat advisories. The NCSC's guidance on incident management, supply chain security, and cyber resilience assessment is particularly relevant for compliance professionals. https://www.ncsc.gov.uk
FCA Operational Resilience Publications The FCA's dedicated operational resilience publication library, including PS21/3, Dear CEO letters on operational resilience and cyber resilience, case studies from supervisory reviews, and guidance on impact tolerance setting. Updated as the FCA's supervisory posture evolves; the Dear CEO letters in particular reflect current regulatory expectations more precisely than the formal rules. https://www.fca.org.uk/firms/operational-resilience
EBA — DORA Implementation Hub The European Banking Authority's dedicated DORA implementation page, comprising: the full RTS and ITS package; consultation paper responses; Q&A from industry; and implementation timelines. The EBA's Q&A is particularly valuable for resolving interpretation questions that are not addressed in the regulation or the RTS. https://www.eba.europa.eu/regulation-and-policy/operational-resilience/digital-operational-resilience-act-dora
ICO — Data Breach Reporting Guidance The UK Information Commissioner's Office's practical guidance on personal data breach notification: what constitutes a breach; when to notify the ICO; when to notify affected individuals; how to complete the online notification form; and what the ICO expects from breach documentation. Includes worked examples relevant to financial services scenarios. https://ico.org.uk/for-organisations/report-a-breach/