DORA2026-02-2413 min read

Operational Resilience: UK vs EU Requirements (PRA SS1/21 vs DORA)

Also available in:Deutsch

Table of Contents

  1. 01Introduction
  2. 02The Core Problem
  3. 03The Consequences of Misalignment
  4. 04Why This Is Urgent Now
  5. 05The Solution Framework
  6. 06Common Mistakes to Avoid
  7. 07Tools and Approaches
  8. 08Getting Started: Your Next Steps
  9. 09Frequently Asked Questions
  10. 10Key Takeaways

Operational Resilience: UK vs EU Requirements (PRA SS1/21 vs DORA)

Introduction

To get a head start on understanding operational resilience requirements, open your operational resilience framework document. If you haven’t updated it for the latest regulations, now is the time. This simple step is critical because operational resilience is a keystone in financial service operations, especially with the divergence of UK and EU regulations. European financial institutions must differentiate between PRA SS1/21 in the UK and DORA within the EU to ensure compliance, avoid hefty fines, prevent audit failures, and mitigate operational disruptions and reputational damage.

The Core Problem

Operational resilience is no longer a tick-box compliance exercise; it's an essential component of any financial institution's risk management strategy. Yet, the real cost of non-compliance is often misunderstood. One could estimate the cost of fines from non-compliance to range from tens of thousands to millions of euros depending on the severity and nature of the violation. Time wasted in corrective actions can extend audit preparation from 5 days to 6 weeks, and the risk exposure could lead to significant financial and reputational losses.

What most organizations get wrong is assuming that operational resilience is static. They create a framework once and then rarely update it. However, with regulatory changes such as the introduction of DORA, the landscape shifts, and so should your approach. For instance, DORA Article 42(1) specifically requires institutions to have policies and procedures in place for the identification and management of operational risks.

In contrast, the PRA's SS1/21, which applies to UK firms, focuses on the impact and recovery aspects, requiring a three-lines-of-defence model and a robust incident reporting framework. The divergence in regulatory focus means that a one-size-fits-all approach won't suffice. Financial institutions must tailor their operational resilience strategies to meet the specific demands of each jurisdiction.

The Consequences of Misalignment

To illustrate, consider a European bank operating in both the UK and several EU countries. Misalignment with DORA could mean not having the necessary third-party risk management protocols in place, as mandated by Article 43, leading to potential disruption in services and, consequently, financial losses. A simple calculation could be if a disruption in service affects just 1% of daily transactions, amounting to an estimated loss of 10,000 EUR based on daily transaction volumes of 1,000,000 EUR.

On the other hand, non-compliance with PRA SS1/21 could lead to an inability to demonstrate how the firm is managing the risk of operational events that cause an impact on the delivery of essential services. This could result in regulatory scrutiny, potential fines, and a damaged reputation.

Why This Is Urgent Now

The urgency is amplified by recent regulatory changes such as the implementation of DORA, which will fully apply from 2024. Meanwhile, the PRA has been enforcing SS1/21 since 2021. The pressure is on for financial institutions to align their operational resilience strategies with these new regulations.

Market pressure adds to the urgency, as customers are increasingly demanding certifications and transparency regarding operational resilience. This is evident in the growing number of requests for SOC 2 reports and GDPR compliance demonstrations. The gap between where most organizations are and where they need to be is widening. For instance, a study found that 60% of financial services firms do not have a comprehensive third-party risk management program, which is a critical component of operational resilience, especially under DORA.

In conclusion, the divergence in operational resilience requirements between the UK and EU is a pressing concern for financial institutions. It demands immediate attention and the development of tailored strategies to meet the demands of each jurisdiction. Failing to do so could result in significant financial, operational, and reputational risks. The next steps are clear: assess your current operational resilience framework against the latest regulations, and start planning for the necessary updates.

The Solution Framework

Operational resilience is a topic that requires a structured approach. The regulations from the UK's PRA SS1/21 and the EU's DORA each provide guidelines on how to ensure operational resilience. Here, we will outline a step-by-step approach to address the requirements.

Step 1: Assess your current state
Start by mapping the current state of operational resilience within your organization. Analyze your technology infrastructure, identify critical business services, and define potential disruptions. Review your Incident Management Framework (IMF) and Business Continuity Management System (BCMS) to ensure they align with PRA SS1/21 and DORA requirements.

Step 2: Identify gaps
Compare your current state with the requirements outlined in both regulations. Identify gaps where your organization is not meeting the standards. Pay special attention to Section 3 of PRA SS1/21, which addresses incident reporting, and Article 23 of DORA, which emphasizes cooperation and information sharing in the event of a disruption.

Step 3: Develop an operational resilience framework
Create a comprehensive operational resilience framework that addresses both PRA SS1/21 and DORA. This framework should include:

  • A robust incident management process that aligns with both regulations.
  • A clear escalation path for incidents, with designated roles and responsibilities.
  • Regular scenario-based exercises to test your response plan.
  • Continuous monitoring and evaluation of your operational resilience measures.

Step 4: Implement a monitoring mechanism
Use the endpoint compliance agent provided by platforms like Matproof to monitor device compliance in real-time. This helps ensure that all endpoints are adhering to the necessary security protocols, preventing unauthorized access and potential disruption.

Step 5: Automated policy generation and evidence collection
Leveraging AI-powered policy generation tools like Matproof can help in creating compliant policies for both regulations in German and English. Additionally, such tools can automate evidence collection from cloud providers, reducing manual effort and increasing accuracy.

Step 6: Regular audits and reviews
Regularly audit your operational resilience measures to ensure they remain effective and up-to-date. This includes reviewing incident reports, testing your incident response plans, and updating your policies as needed.

Actionable Implementation Details

  • Implement Matproof's compliance automation platform to generate policies and collect evidence from cloud providers automatically, saving time and reducing the risk of human error.
  • Set up regular incident response drills to test the effectiveness of your incident management framework.
  • Conduct quarterly audits to ensure your policies and procedures are still relevant and aligned with the latest regulatory requirements.

Good vs. Just Passing
"Good" operational resilience involves a proactive approach, with continuous improvement and regular testing of incident response plans. It also includes the use of advanced technology like AI-powered policy generation and automated evidence collection. "Just passing" means meeting the minimum regulatory requirements without any additional efforts for improvement or innovative solutions.

Common Mistakes to Avoid

Mistake 1: Failing to Map Business Services
Organizations often overlook the importance of mapping their business services, which can lead to gaps in their operational resilience framework. This failure can result in unidentified critical services and a lack of preparedness for disruptions affecting these services.

Why It Fails:
A failure to identify all critical business services can lead to an incomplete understanding of the potential impacts of disruptions. This can result in inadequate incident response plans.

What To Do Instead:
Map all business services systematically, including those that are outsourced or provided by third parties. Ensure that these services are included in your incident response plans.

Mistake 2: Inadequate Incident Reporting Procedures
Many organizations establish incident reporting procedures that are too complex or not aligned with regulatory requirements. This can lead to delays in reporting incidents, which can exacerbate the impact of a disruption.

Why It Fails:
Complex reporting procedures can slow down the response time, leading to a failure to meet reporting deadlines as stipulated in both PRA SS1/21 and DORA.

What To Do Instead:
Simplify your incident reporting procedures and ensure they are in line with both regulations. Train employees on the importance of timely reporting and the specific processes to follow.

Mistake 3: Insufficient Training and Awareness
Lack of training and awareness about operational resilience can lead to employees being unprepared to handle incidents, which can increase the duration and impact of a disruption.

Why It Fails:
Employees who are not aware of their roles and responsibilities during an incident may hesitate or make incorrect decisions, prolonging the incident's resolution.

What To Do Instead:
Provide regular training and awareness sessions on operational resilience. Include scenario-based exercises to simulate real-life incidents and ensure that employees understand their roles and the steps to take.

Tools and Approaches

Manual Approach
Manual approaches to operational resilience involve creating policies and procedures, conducting audits, and managing incidents manually. This approach can be time-consuming and prone to human error.

Pros:

  • It can be customized to an organization's specific needs.
  • It allows for a hands-on approach to understanding every aspect of the resilience framework.

Cons:

  • It is labor-intensive and can be error-prone.
  • It may not scale well as the organization grows or as regulations change.

When It Works:
Manual approaches work well for small organizations or those with limited resources. However, they may not be sustainable as the organization scales up.

Automated Compliance Platforms
Automated compliance platforms like Matproof can help organizations streamline their operational resilience efforts. These platforms offer AI-powered policy generation and automated evidence collection, reducing manual labor and increasing accuracy.

What To Look For:

  • A platform that supports multiple regulations, including PRA SS1/21 and DORA.
  • Advanced AI capabilities for policy generation and evidence collection.
  • 100% EU data residency to ensure compliance with data protection regulations.
  • Endpoint compliance monitoring to ensure device-level compliance.

Matproof's Contribution
Matproof is a compliance automation platform built specifically for EU financial services. It offers AI-powered policy generation in German and English, automated evidence collection from cloud providers, and an endpoint compliance agent for device monitoring. With 100% EU data residency, Matproof ensures compliance with GDPR and other data protection regulations. For organizations looking to enhance their operational resilience while ensuring regulatory compliance, Matproof provides a comprehensive solution that can be integrated into their existing frameworks.

In conclusion, achieving operational resilience in the face of regulatory requirements from both the UK and the EU requires a comprehensive approach. By assessing your current state, identifying gaps, and implementing a robust operational resilience framework, you can ensure your organization is prepared for potential disruptions. Utilizing advanced tools like Matproof can further enhance your efforts, providing automated compliance and evidence collection to streamline your processes and ensure regulatory adherence.

Getting Started: Your Next Steps

Understanding the nuanced differences between PRA SS1/21 and DORA is essential for operational resilience compliance. Here’s a five-step action plan you can follow this week:

  1. Assess Your Current Compliance Maturity: Conduct an internal audit to assess where you stand concerning PRA SS1/21 and DORA requirements. Identify gaps and areas of non-compliance.

  2. Create a Cross-Functional Team: Establish a team with representatives from your risk, legal, IT, and compliance departments. This team will oversee your operational resilience strategy and ensure its alignment with both PRA SS1/21 and DORA.

  3. Prioritize Risks: Identify and prioritize operational risks based on their potential impact and likelihood. This prioritization will guide your compliance efforts and resource allocation.

  4. Develop a Response Plan: Develop a comprehensive incident response and crisis management plan that aligns with both PRA SS1/21 and DORA. Ensure it covers all potential operational disruptions, including third-party risks.

  5. Implement Continuous Monitoring: Set up a system for continuous monitoring and reporting of operational resilience. Use AI-powered tools like Matproof to automate policy generation, evidence collection, and endpoint compliance checks.

For further resources, refer to the official publications:

Frequently Asked Questions

Q1: How do I determine if my organization falls under the scope of DORA?

A: DORA applies to all credit institutions operating within the EU. It does not differentiate between the size or complexity of the institution. If your organization is a credit institution, you are subject to DORA regardless of your size or the complexity of your operations. Consult Article 2 of DORA for specific details on its scope.

Q2: What are the key differences between PRA SS1/21 and DORA regarding incident reporting?

A: PRA SS1/21 requires firms to report any operational incident that has a significant impact on their business. In contrast, DORA has a broader scope and requires the reporting of all material operational incidents, not just those that significantly impact the firm. This difference extends the reporting obligations under DORA beyond what is required by PRA SS1/21.

Q3: How does DORA's third-party risk management requirement differ from PRA SS1/21?

A: DORA places significant emphasis on managing risks associated with third-party relationships, including. It requires firms to conduct due diligence, establish risk management processes, and maintain contingency plans for third-party failures. While PRA SS1/21 also addresses third-party risk, DORA's requirements are more detailed and prescriptive, emphasizing the importance of robust third-party risk management.

Q4: What are the implications of DORA's requirement for ICT risk management?

A: DORA requires credit institutions to have a comprehensive ICT risk management framework in place. This includes identifying, assessing, and managing risks associated with their reliance on ICT systems and services. It also requires firms to have a contingency plan for ICT disruptions and to ensure the resilience of their ICT systems. This is a significant expansion of the ICT risk management requirements compared to PRA SS1/21.

Q5: How does DORA's approach to operational resilience differ from PRA SS1/21 in terms of recovery and business continuity planning?

A: DORA requires firms to have a comprehensive operational resilience framework in place, which includes recovery and business continuity planning. This framework must consider a wide range of disruptions, including those resulting from cyber incidents, pandemics, and other systemic risks. While PRA SS1/21 also requires business continuity planning, DORA's approach is more holistic and forward-looking, emphasizing the need for proactive risk management and preparedness for a broader range of potential disruptions.

Key Takeaways

  • Scope of Compliance: Ensure your organization understands and complies with both PRA SS1/21 and DORA, as their requirements differ significantly in areas such as incident reporting, third-party risk management, and ICT risk management.

  • Third-Party Risks: With DORA placing greater emphasis on third-party risks, it’s crucial to have robust due diligence and risk management processes in place for all.

  • ICT Risk Management: DORA's broader ICT risk management requirements mean that firms must have a comprehensive framework in place to manage and mitigate ICT risks effectively.

  • Operational Resilience Planning: Both PRA SS1/21 and DORA emphasize the importance of operational resilience planning, including recovery and business continuity planning for a wide range of potential disruptions.

  • Automating Compliance: Matproof can help automate various aspects of your operational resilience compliance, including AI-powered policy generation and automated evidence collection. Visit https://matproof.com/contact for a free assessment of your operational resilience readiness.

operational resilience UK EUPRA SS1/21 DORAUK operational resilienceDORA UK comparison

Ready to simplify compliance?

Get audit-ready in weeks, not months. See Matproof in action.

Request a demo