Who Must Comply to DORA?

Navigate the complexities of DORA compliance in this clip from HANDD’s recent webinar. While financial organisations and EU-based IT service providers fall clearly within scope, uncertainties arise for UK entities post-Brexit. Our experts emphasise the potential advantages of voluntarily complying with DORA, suggesting it as a strategic move in addressing security concerns and maintaining a competitive edge, especially for UK firms engaged with EU operations or markets.

View the clip and transcript below or watch the full webinar.


Sam Malkin:

Whenever there’s new regulation, the first thing people do is kind of run around and go do I have to do anything? Can I get out of doing something here, you know, who who must comply. And this has been no different. Now, I try my best to be as categorical as I feel like I possible about who’s in and kind of who’s out. So the obvious thing is that this is an EU directive. So if you’re a financial organization or you’re an outsourced IT service provider who operates within the EU, then you’re obviously going to apply you know, that’s that’s black and white. Now, if you look at the graphic that’s up on the screen there, there’s something missing, that thing being the United Kingdom where I’m sat today. With the United Kingdom no longer being an EU member state that throws a lot of confusion into a gray area. What should be going on with a firm based in London or a UK based? So there’s also been murmurings I guess, of the UK potentially choosing to adopt the regulation anyway, maybe it’s going to create its own regulation, maybe it will just ignore it altogether. There is already UK based regulation that exists out there.

So, whether the UK will or won’t, I can’t shed any more light on that at this point in time, but what I can say is, if you are one of these types of organisation then you are  in scope for DORA if you’re a UK based one of these types of organisations, if you do business with an EU registered entity, if you’ve got European operations if you trade within the EU market, despite being a UK firm. So let’s say your offices in are in London, or you started in London or you registered with with UK companies house or whatever it is, but you connect to the German Stock Exchange, then you’re gonna fall into scope with with DORA. Now in my opinion, I think that actually complying, even if you don’t have to by law is probably also only ever a good thing. There are lots and lots of bits in here about questioning security to me and kind of due diligence I was going to say at some point around where you place your business, where you award contracts, and who you do business with and who you connect to technically, if you deliberately mark yourself as out of scope, and try not to comply, that I think you could see yourself at a competitive disadvantage when it comes to the awarding of contracts and comparing between firms and things like that.

Need support to achieve DORA compliance?

HANDD is experienced in helping banks and financial institutions navigate the complexities of new cyber regulation, and DORA is no exception. Our experienced team of cyber-risk specialists can help you find and identify non-compliant areas of your business in preparation for the full launch of DORA in 2025.

Book a call with our DORA Consultant: Call +44 (0)845 643 4063 or email marketing@handd.co.uk

Need more? View all our DORA resources here.