Key Takeaways

Chapter 33: Cybersecurity Regulations — DORA, NIST, and Operational Resilience

The Essentials

  • Cyber incidents are simultaneously operational, legal, and regulatory events. A ransomware attack at 3:14 AM is not just a technology problem; within hours it triggers FCA PRIN 11 notifications, UK GDPR breach assessment, DORA major incident classification for EU operations, and Board-level accountability under the Senior Managers and Certification Regime. The compliance function owns the regulatory response even when the technical response belongs to IT.

  • DORA's 4-hour initial notification clock starts at classification, not at detection. This is one of the most operationally significant details in the regulation. A firm may detect an incident at 3:00 AM but spend two hours confirming severity; once it classifies the incident as major under DORA Article 19 criteria, the 4-hour window begins. Firms that conflate detection time with classification time will systematically misreport their timelines — itself a regulatory violation.

  • The FCA/PRA impact tolerance framework forces firms to pre-define failure. By requiring firms to specify the maximum tolerable disruption to each important business service — expressed in hours and customer harm metrics — the framework transforms vague resilience aspirations into testable, auditable commitments. Breaching a self-declared tolerance immediately triggers notification and remediation obligations. Firms cannot retrospectively adjust tolerances after an incident to make the breach look smaller.

  • Third-party ICT risk cannot be outsourced; only its management can. Both DORA Article 28 and the FCA Critical Third Party regime are built on the same regulatory principle: regulated firms remain responsible for the operational resilience of services they receive from external providers. Cloud hosting does not transfer regulatory accountability. Contracts, audit rights, exit plans, and recovery testing are compliance requirements, not optional enhancements.

  • NIST CSF 2.0 provides the operational vocabulary that connects technical and regulatory teams. The six core functions — Govern, Identify, Protect, Detect, Respond, Recover — give CCOs, CISOs, and regulators a shared framework for assessing cyber maturity and structuring incident response. The 2024 addition of the Govern function explicitly addresses cybersecurity risk governance and accountability at Board level, aligning NIST CSF with the accountability requirements of DORA Article 5 and the SM&CR.

  • Notification obligations multiply across jurisdictions. A single incident affecting a firm with UK, EU, and US operations can simultaneously trigger FCA PRIN 11 (prompt notification, no fixed deadline), DORA major incident reporting (4h / 72h / 30-day), UK GDPR breach notification to the ICO (72 hours), NIS2 obligations for designated entities, and US SEC cybersecurity disclosure rules (4 business days for material incidents). Each obligation has a different recipient, different content standard, and different consequence for late filing.

  • The compliance professional's role in a cyber incident is documentation, escalation, and regulatory liaison — not technical remediation. The CCO's job during a live incident is to run parallel to the technical response: classifying the regulatory exposure, drafting notifications, tracking timelines, briefing senior management, and ensuring the incident record is accurate and contemporaneous. Firms that wait for the technical team to finish before starting the regulatory response will inevitably miss notification deadlines.

Regulatory Framework Summary

Framework Jurisdiction Scope Key Compliance Obligations
DORA (EU 2022/2554) EU / EEA; applies from 17 January 2025 All financial entities regulated in the EU: banks, investment firms, insurance undertakings, payment institutions, e-money institutions, crypto-asset service providers, and designated Critical ICT Third-Party Providers ICT risk management framework (Board accountability); major incident classification and three-stage reporting (4h / 72h / 30 days); TLPT (Threat-Led Penetration Testing) at least every 3 years for significant entities; ICT third-party provider register; DORA-compliant contract provisions under Article 30; concentration risk assessment
FCA / PRA Operational Resilience (PS21/3, SS1/21) United Kingdom; compliance required from 31 March 2022; ability to remain within tolerances required by 31 March 2025 FCA/PRA dual-regulated firms; FCA solo-regulated firms; proportionate application based on systemic significance and size Identify important business services; set impact tolerances (maximum disruption duration); map dependencies; conduct scenario testing (including cyber scenarios); produce and maintain annual self-assessment; notify FCA of material breaches under PRIN 11
NIST Cybersecurity Framework (CSF 2.0, 2024) United States; globally adopted as best practice reference Voluntary for most entities; effectively mandatory for US federal contractors; referenced in FFIEC, OCC, FDIC, and Federal Reserve guidance Implement the six core functions: Govern, Identify, Protect, Detect, Respond, Recover; conduct organizational risk assessment; develop a cybersecurity profile; assess implementation tier; document and test cyber incident response
UK GDPR / Data Protection Act 2018 United Kingdom; post-Brexit equivalent of EU GDPR All organisations processing personal data of UK data subjects Report personal data breaches posing risk to data subjects to the ICO within 72 hours of becoming aware; notify affected individuals without undue delay where high risk to rights and freedoms; maintain breach register; implement appropriate technical and organisational security measures (Article 32)
NIS2 Directive (EU 2022/2555) EU / EEA; lex specialis: financial entities covered by DORA are treated as compliant with equivalent NIS2 obligations Essential and important entities in critical sectors including financial infrastructure, digital infrastructure, energy, transport, health Cybersecurity risk management measures; significant incident notification: 24-hour early warning, 72-hour incident notification, 30-day final report; supply chain security obligations; Board accountability for cybersecurity measures

DORA Major Incident Notification Timeline

Phase Deadline Content Required Recipient
Initial notification Within 4 hours of classification as a major incident; and no later than 24 hours after first detection (whichever is earlier in effect — the 24-hour outside limit prevents firms delaying classification to delay notification) Incident reference number; date and time of first detection; date and time of classification as major; nature of the incident (ransomware, DDoS, cloud outage, data breach, etc.); ICT systems and services affected; preliminary impact assessment (customers, transactions, critical functions); incident status (ongoing or resolved); initial hypothesis on cause or attack vector National Competent Authority for the entity's primary EU supervisor (e.g., ECB for significant credit institutions under SSM; national central bank or financial regulator for less significant institutions; ESMA-supervised entities to ESMA)
Intermediate report Within 72 hours of the initial notification being submitted Updated and more detailed description of the incident and its progression; current containment and remediation status; extended impact assessment — number of clients affected, financial services disrupted, counterparty impact, cross-border dimension; steps taken to restore services and estimated restoration timeline; preliminary root cause analysis; any involvement of or impact on ICT third-party providers; update on whether classification as major remains accurate Same National Competent Authority as initial notification; the NCA may share information with other EU supervisory bodies (EBA, ESMA, EIOPA) as appropriate
Final report Within 30 calendar days of service restoration (or within 30 days of the intermediate report if the incident remains ongoing at that point) Complete root cause analysis with supporting technical detail; full impact assessment: clients, financial losses, operational disruption, reputational impact; comprehensive timeline from initial detection through full resolution; remediation actions taken and in progress; confirmation of lessons learned; assessment of whether ICT third-party providers contributed to the incident and what contractual or supervisory consequences follow; updated resilience measures National Competent Authority; report may be shared with ENISA and, for significant incidents, with the joint ESA committee

Impact Tolerance Breach — Compliance Actions

When an important business service exceeds its self-declared impact tolerance, a compliance officer must take the following steps:

  1. Confirm and timestamp the breach. Record the precise moment the tolerance was exceeded — for example, "payment processing unavailable for 4 hours 14 minutes against a declared 4-hour tolerance." This timestamp is the regulatory anchor for all subsequent obligations.

  2. Escalate immediately to Senior Management. The Senior Manager with designated responsibility for operational resilience under SM&CR must be notified. Document the escalation with time and method. The Board or a designated Board committee should be informed within the same session.

  3. File FCA PRIN 11 notification. Notify the FCA as soon as reasonably practicable that a material impact tolerance breach has occurred. Do not defer notification pending full incident resolution. The notification should identify the business service affected, the duration of disruption, the nature of the incident, steps being taken to restore service, and any customer harm to date.

  4. Assess GDPR exposure. Determine whether personal data has been accessed, lost, or rendered unavailable as part of the incident. If payment processing, customer portals, or customer data systems are affected, treat this as a potential personal data breach and begin the 72-hour ICO notification assessment. Assign a lead for this assessment distinct from the technical response team.

  5. Assess DORA major incident criteria (for EU-regulated operations). Apply the DORA classification criteria to any EU-supervised entity within the group: client impact, financial losses, geographic spread, duration, criticality of the affected service. If the criteria are met, classify as a major incident and begin the 4-hour initial notification clock.

  6. Convene the regulatory notification working group. Bring together CCO, General Counsel, CISO, and Head of Operations within 90 minutes of the confirmed breach. Review all pending regulatory notification obligations; assign ownership for each notification; confirm drafts are in progress; set a deadline for senior management review.

  7. Open and maintain the incident register entry. Log the incident with all required fields: detection time, classification time, services affected, regulatory obligations triggered, notification deadlines, actions taken, and communications made. This register is a regulatory document and must be accurate, contemporaneous, and retained.

  8. Engage external counsel and the supervisory contact. For significant incidents, proactive engagement with the firm's named FCA supervisory contact is advisable before formal notification. Document all regulatory communications.

  9. Coordinate customer communications. Customer-facing communications must not inadvertently contradict or conflict with regulatory notifications. Legal and compliance should review all customer statements before publication.

  10. Schedule post-incident review. Schedule the post-incident review while the incident is still active. The review must address root cause, notification timeline adherence, gaps in the incident response procedure, and planned remediation. Both DORA and the FCA framework expect demonstrable organisational learning.

Practitioner Checklist: Cyber Incident Response

First Hour (0–60 minutes from detection)

  • [ ] Confirm incident severity with CISO and Operations lead
  • [ ] Identify all ICT systems and business services affected
  • [ ] Open incident register entry; record detection time
  • [ ] Convene incident response team (CISO, CCO, Legal, Operations)
  • [ ] Assess whether personal data is potentially involved (start GDPR trigger assessment)
  • [ ] Identify which jurisdictions' regulatory frameworks apply (UK, EU, US, other)
  • [ ] Notify Senior Manager with operational resilience accountability (SM&CR)
  • [ ] Begin drafting preliminary incident description for notification purposes

First 4 Hours (1–4 hours from classification)

  • [ ] Complete impact tolerance assessment — identify all important business services affected and whether tolerances are breached
  • [ ] Complete DORA major incident criteria assessment if EU operations are in scope
  • [ ] If major incident: classify formally and begin DORA 4-hour notification clock from classification time (not detection time)
  • [ ] Draft FCA PRIN 11 notification; obtain senior management sign-off
  • [ ] File FCA notification if impact tolerance breached or material incident confirmed
  • [ ] Confirm whether ICO notification is required; begin 72-hour tracking if personal data breach confirmed
  • [ ] Convene notification working group; assign ownership for each regulatory obligation
  • [ ] Brief Board or designated Board committee

First 24 Hours

  • [ ] File DORA initial notification (within 4 hours of classification; outside limit 24 hours from detection)
  • [ ] File or confirm GDPR breach notification to ICO if personal data breach established
  • [ ] Notify affected customers as required by data protection obligations
  • [ ] File any US regulatory notifications (FINRA systems disruption, SEC 8-K if material) if applicable
  • [ ] Continue technical remediation; update incident register in real time
  • [ ] Begin preliminary root cause analysis for intermediate report preparation
  • [ ] Prepare Board update with complete regulatory exposure summary

First 72 Hours

  • [ ] File DORA intermediate report (72 hours from initial notification submission)
  • [ ] Complete ICO GDPR notification if not yet submitted
  • [ ] Update FCA with incident status and estimated restoration timeline
  • [ ] Compile preliminary customer harm assessment
  • [ ] Retain all incident documentation: logs, communications, notification drafts, internal escalation records
  • [ ] Brief external counsel on enforcement or civil claims risk

30 Days (Final Reporting and Remediation)

  • [ ] File DORA final report within 30 days of service restoration or intermediate report
  • [ ] Complete post-incident review; produce lessons-learned report for Board
  • [ ] Submit Board-approved remediation plan to FCA if requested
  • [ ] Update business continuity plan and incident response procedure
  • [ ] Assess whether ICT third-party contracts require renegotiation to address DORA Article 30 gaps
  • [ ] Consider whether TLPT or penetration testing should be brought forward
  • [ ] Update impact tolerance self-assessment if the incident revealed gaps in the declared tolerance
  • [ ] Confirm all regulatory notifications are filed, accurate, and retained in the compliance record

What Maya Would Say

A cyber incident does not pause for the compliance function to get ready — it begins the moment the first alert fires, and the regulatory clock starts ticking whether or not anyone in compliance is awake. The CCO's job is not to understand every line of malicious code; it is to know every regulatory deadline, own every notification, and ensure that the firm's response is documented with enough precision that, six months later, a regulator can reconstruct exactly what the firm knew, when it knew it, and what it did. The compliance professional who masters cyber incident response is not a technical expert. She is the person in the room who understands that an outage is a legal event — and that how it is documented matters almost as much as how it is resolved.