In recent years, the European Union (EU) and United Kingdom (UK) have introduced several regulations focused on operational resilience, each with distinct requirements yet overlapping themes. For leaders, it is crucial to assess the impact to their organizations from regulations; understanding both the commonalities and differences is critical to navigating these frameworks effectively and prioritizing strategic initiatives.
The good news: there are clear areas of alignment across these regulations that provide an opportunity to streamline efforts. By adopting an integrated approach, organizations can not only simplify compliance with competing regulations but also build a unified resilience strategy that delivers on regulatory expectations and drives business value.
It’s important to assess the potential implications and turn these requirements into a strategic advantage. This blog is a comparison of the UK Financial Conduct Authority (FCA)’s SS6/24 on Critical Third Parties, the Digital Operational Resilience Act (DORA) from the EU, and the broader Operational Resilience regulations in the UK. While these regulations share common goals in enhancing operational resilience, they vary in scope, focus, and regulatory approach.
Some Parallels:
Focus on Third-Party Risk Management:
- SS6/24 and DORA both emphasize the importance of managing risks associated with third parties, particularly those providing critical services to financial institutions. There is an increasing focus on being able to understand the operational ecosystem in which organizations operate.
- The UK’s Operational Resilience regulations also stress the need for firms to understand and manage dependencies on third parties, ensuring continuity in the event of disruptions and also aligning to the Basel Principles issued in 2020.
Operational Resilience as a Key Objective:
- All three frameworks are centered on enhancing operational resilience, aiming to ensure that firms can withstand, adapt to, and recover from disruptions. There has been focus on an organization’s safety and soundness post the 2008 financial crisis.
- The FCA’s SS6/24, DORA, and UK Operational Resilience regulations highlight resilience as a critical component of financial stability and emphasize the need for firms to focus on resilience rather than purely on regulatory compliance.
Resilience Testing and Incident Response:
- SS6/24 mandates resilience testing for critical third parties to ensure their ability to handle disruptions, a requirement that aligns closely with DORA’s operational resilience testing. Scenario testing is a core component of all the regulations, all focusing on the lessons learned from testing and taking action to reduce risks.
- Both SS6/24 and DORA require incident reporting and coordinated response mechanisms, ensuring that firms can manage and mitigate the impacts of significant disruptions. The UK Operational Resilience framework similarly mandates testing and effective incident management.
- There has been a continued focus on incident management and crisis management over the years as organizations are subject to a continually evolving threat landscape.
Regulatory Oversight and Accountability:
- DORA, SS6/24, and UK Operational Resilience regulations place emphasis on regulatory oversight, allowing authorities to enforce compliance. Under SS6/24, the FCA and Prudential Regulation Authority (PRA) have the authority to supervise and take action against critical third parties, similar to the powers granted to EU regulators under DORA.
Some Notable Differences:
Scope and Jurisdiction:
- DORA is an EU-wide regulation, applying to financial entities and third-party ICT (information and communication technology) providers across all EU member states. It has a broad reach across various sectors of the financial services industry in Europe.
- SS6/24 is UK-specific and applies to third-party providers identified as critical to the UK financial system, including both UK-based and international providers that serve UK financial institutions. This is important, as some of the potential critical third parties (CTPs) supporting the financial industry are global organizations, headquartered outside the UK.
- The UK’s Operational Resilience regulations have a more general application across UK financial firms and focus on overall operational resilience, including internal processes and not just third-party dependencies.
Focus on Critical Third Parties vs. ICT Providers:
- SS6/24 specifically addresses CTPs that play a vital role in financial stability, covering a wide range of services, not limited to ICT.
- DORA, on the other hand, has a strong emphasis on ICT third-party providers and digital operational resilience, focusing particularly on technology-related dependencies within the financial sector.
- UK Operational Resilience regulations are broader, encompassing all aspects of a firm’s operations, including internal processes, personnel, and systems.
Detailed Requirements for ICT Providers in DORA:
- DORA goes into significant detail regarding ICT risk management, including specific requirements for ICT incident reporting, operational resilience testing, and the oversight of ICT third-party providers.
- SS6/24 is more flexible and principles-based, focusing on general resilience and incident response without prescribing specific ICT-related requirements.
- UK Operational Resilience regulations do not focus solely on ICT but rather on overall operational continuity and resilience for critical business services.
Regulatory Supervision and Enforcement Mechanisms:
- Under DORA, the European supervisory authorities (ESAs) have direct oversight powers over certain ICT third-party providers deemed critical.
- In contrast, SS6/24 grants authority to the FCA and PRA for oversight of CTPs within the UK. This reflects the UK’s distinct approach to supervision, where national authorities play a direct role.
- The UK’s Operational Resilience framework is supervised by the FCA and PRA but generally applies to regulated firms rather than focusing specifically on third-party providers.
Integration with Broader ESG and Strategic Objectives:
- DORA is part of the EU’s broader push for digital and sustainable finance, aligning with the EU’s Digital Finance Strategy and indirectly supporting ESG (environmental, social, and governance) objectives.
- The UK’s Operational Resilience regulations, including SS6/24, are more narrowly focused on operational continuity and resilience. They do not explicitly align with ESG goals, although resilience contributes indirectly to sustainability.
- SS6/24 does not explicitly align with digital finance or ESG, focusing more on financial stability and systemic risk reduction within the UK.
Summary:
In summary, while SS6/24, DORA, and the UK’s Operational Resilience regulations share a common goal of enhancing operational resilience and managing third-party risks, their scope and approach vary:
- SS6/24 focuses on critical third parties within the UK, with an emphasis on resilience testing and systemic risk mitigation.
- DORA is EU-wide, specifically targeting ICT providers with prescriptive requirements around digital resilience, risk management, and ESG alignment.
- UK Operational Resilience regulations provide a broader framework for resilience across all aspects of UK-regulated financial firms, beyond third-party dependencies.
Each regulation reflects its jurisdiction’s unique priorities: the UK’s emphasis on national financial stability and systemic risk and the EU’s focus on digital resilience and alignment with its broader digital finance and sustainability strategies. All have a common objective: to increase safety, soundness, and operational stability.
Authors
