Building a resilient digital economy is one of the UK’s priorities. A step to envision this is the UK’s National Cyber Strategy (2022), which introduces a new key pillar, cyber resilience, and comes with a budget of £2.6 billion for three years.
One might wonder what cyber resilience is and how it is different from cyber security. We can consider cyber resilience as the ability of the organisation’s critical infrastructure, communication networks, and IT systems to prepare for, absorb in, recover from, and adapt to adverse effects as a result of cyber-attacks that affect business continuity and essential operations. Cyber resilience is different from cyber security in a way that it is a risk-informed rather than threat-led approach to protect digital assets. In simple terms, cyber security puts in place controls for mitigating cyber attacks while cyber resilience focuses on recovery from a successful attack.
What has been realised as a major challenge for governments is the protection of critical national infrastructure. The good news is the UK has taken an initiative in the right direction by proposing the National Resilience Framework (2023) to prevent, mitigate, respond to, and recover from potential risks. A 2020 National Infrastructure Commission report already suggested a proactive approach is needed to make infrastructure resilient for which standards for cyber resilience must be developed and updated. The Cyber Security Strategy 2022-2030 also gives a target of fixing known vulnerabilities by 2030. However, the reality is serious actions are needed to achieve such ambitious goals and objectives.
As for the resilience of critical entities, there also exists EU Directive 2022/2557 introduced in December 2022. It offers guidance on the strategy for the resilience of critical entities, risk assessment by critical entities, and resilience measures of critical entities. However, it is not specific to a single sector.
The Digital Operational Resilience Act (DORA) is the most recent sector-specific development in regard to resilience. DORA is an EU regulation 2022/2554 for harmonising ICT security across the EU financial sector. It came into force in January 2023 and is enforceable from 17 January 2025 with applicability to applicable to all EU member states and the UK.
DORA applies to more than 22,000 financial entities and ICT service providers operating within the EU. Some of them are credit, payment and electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, trading venues and trade repositories, insurance and insurance intermediaries, institutions for occupational retirement pensions, credit rating agencies, statutory auditors and audit firms, and ICT third-party service providers. It also applies to the ICT infrastructure supporting them from outside the EU.
The five key obligations under DORA are: (i) ICT risk management and governance for a documented ICT risk management and addressing ICT risk quickly; (ii) incident reporting and management; (iii) operational resilience testing; (iv) management of ICT third-party risk; (v) information sharing is encouraged but not mandatory. If DORA obligations are not met, then the regulators have the power to impose fines of up to 1% of daily turnover for every day of non-compliance.
GDPR and DORA might look similar in the sense that both are EU regulations for protecting digital assets and services. There are key differences too. For instance, DORA is about availability while GDPR is for privacy protection. DORA aims at ensuring the resilience of financial services, whereas GDPR focuses on protecting personal data and privacy rights. DORA is for “continuous monitoring” compared to GDPR, which is about compliance. In a way, there is a shift from compliance (GDPR) to a risk-centric approach (DORA). In terms of scope, GDPR is global, but DORA is not.
DORA alone is not enough as it applies to the financial sector only. Moving forward, it needs to be extended or, even better, a universal regulation (of the GDPR scale) is required to make most (if not all) organisations responsible for ensuring the resilience of their data and online services.
Fortifying the Frontlines: Data Resilience in Cybersecurity
26 April,12:00 pm - 1:00 pm • Don't miss Prof. Steve Schneider' live online event