Operational resilience and cybersecurity have long been key concerns for banks, but 2025 marks a sharp turning point. The implementation of the EU’s Digital Operational Resilience Act (DORA) and the U.K.’s operational resilience (OR) and Critical Third Parties (CTP) rules introduces an era of heightened regulatory expectations for even greater accountability and transparency.
At their core, these frameworks challenge banks to refine their governance structures, cybersecurity risk management practices and oversight of their ICT1 suppliers. While the penalties for non-compliance can be steep, these regulations also present an opportunity for banks to further strengthen their approach to resilience in a constantly evolving global operating environment.
In this article, we highlight the most significant issues that banks should consider in response to the operational resilience and cybersecurity compliance challenges facing them.
The regulatory landscape
DORA, which came into effect from January 17, 2025, establishes a detailed framework to strengthen the operational resilience of financial organizations across the European Union (EU). Its provisions include ICT risk management, incident reporting and oversight of critical third-party ICT suppliers.
In the U.K., banks had until March 31, 2025 to implement the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) and Bank of England’s OR rules, while the related CTP rules took effect on January 1, 2025 (albeit they will only apply to individual CTPs from the date their designation comes into force). These rules are closely aligned with DORA, covering similar ground. As an example, and echoing the approach taken by DORA, the OR rules require regular testing of incident response plans, and the CTP rules will bring critical third-party providers under direct regulatory supervision. Looking ahead, it also remains to be seen whether the forthcoming Cyber Security and Resilience Bill will impose additional requirements on the U.K. financial services industry, particularly on incident reporting.
In the U.S., operational resilience and cybersecurity remain key concerns for regulators. Oversight is shared among federal and state agencies. While President Trump’s administration is prioritizing deregulation, federal and state regulators are expected to continue their strong focus on resilience and cybersecurity.
While ongoing compliance with DORA and the U.K. rules should strengthen the resilience of the European financial system and help banks to avoid the worst effects of major incidents, banks must also prepare for the heightened scrutiny and enforcement risks over the coming months and beyond.
Regulatory enforcement risks and triggers
It is unclear how soon regulatory investigations and enforcement action under DORA and the U.K. rules will come about. There are three likely factors that may prompt regulators to launch investigations:
- Proactive investigations – regulators may undertake compliance audits.
- Triggered response – whistleblowing from employees, third-parties or other stakeholders claiming, for example, inadequate risk management or poor incident reporting, may also lead to regulatory scrutiny.
- Reported incidents – an incident that meets the relevant reporting threshold may prompt an investigation into the circumstances of the incident, revealing potential regulatory compliance shortcomings.
Boards and management teams can address these risks by promoting a culture of accountability and ensuring comprehensive documentation of compliance activities. Putting in place a robust compliance framework and regular audits are critical to reducing compliance risk. The new regulatory landscape brings a sharp edge to this drive, as DORA holds out the possibility of direct fines for management teams while the FCA has emphasized the need for senior managers to ensure compliance with its rules.
Priorities for banks
Meeting the 2025 compliance deadlines is only the beginning. The more significant challenge lies in embedding operational resilience into every level of the bank’s operations, structures, and systems.
In our view, the areas to prioritize include:
- Strengthening supplier oversight – renegotiating contracts with ICT suppliers to address resilience requirements is essential. Banks should collaborate closely with their suppliers to identify and mitigate any vulnerabilities in their relationships.
- Documenting compliance efforts – regulators are likely to demand evidence of compliance. Banks should ensure that all risk assessments, audits, and contractual updates are carefully documented.
- Integrating resilience into strategy – operational resilience must remain (or become) a core governance priority. Boards should include resilience as a standard part of discussions and plans. They should embed operational resilience into the bank’s organizational culture and long-term goals.
As DORA and the new rules come into force, banks must document all efforts made to achieve compliance, including any mitigation strategies and communication with regulators and their suppliers.
Crucially, being able to provide a clear roadmap for addressing remaining gaps in compliance may help in discussions with regulators and potentially reduce any enforcement risk. This is also not a “once and done” exercise. The expectation is that those subject to the new rule, whether in the EU or the U.K., will maintain their focus on operational resilience, continuously reviewing and improving their ICT risk management processes against best practice.
Cybersecurity’s impact on resilience
Cybersecurity is central to operational resilience, particularly as threats continue to grow in scale, sophistication, and impact. Horizon-scanning for emerging threats, such as AI-based cyberattacks and the new risks posed by quantum computing, should be considered by boards and senior management.
At a practical level, a ‘security by design’2 approach should underpin all operational activities and cybersecurity consideration should be integrated into every layer of decision-making.
Longer-term considerations
DORA and the U.K. rules present more than compliance challenges; they offer an opportunity to strengthen operational effectiveness and productivity, enhance competitiveness by inspiring customer trust and help banks identify, anticipate, and defend against ICT-related risks.
By addressing these requirements proactively, banks can turn compliance into a catalyst for efficiency and growth.
Footnotes
1. Information and Communication Technology
2. Security by design integrates cybersecurity measures into every facet of the bank and its operations, including the design and development of products and services, internal and external systems and all stakeholder relationships.
