Beyond compliance: Turning UK Operational Resilience and DORA requirements into a competitive advantage.
The financial sector is more digital than ever, but with increased connectivity comes heightened risk. Cyber threats and ICT disruptions can bring financial institutions to a standstill, impacting businesses and customers alike. That’s why, on 17 January 2025, the Digital Operational Resilience Act (DORA) came into effect in Europe, and 31st March 2025 will mark the end of a two-year transition period which required regulated financial firms to comply with operational resilience requirements in the United Kingdom (UK). As a key part of the European Commission’s Digital Finance Strategy, and UK authorities’ push to enhance resilience across financial market infrastructure, these requirements set a new standard for operational resilience, requiring financial entities to fortify their systems and processes. But what does this mean for businesses, and how can they stay ahead?
Enfuce’s Daniel Alter, Chief Risk Officer & Money Laundering Reporting Officer (MLRO), and Kalpesh Bharadwa, Head of IT & Information Security, break down the impact of DORA and the UK’s Operational Resilience Requirements (together, “operational resilience”), and how businesses can turn compliance into a competitive advantage.
What does operational resilience mean for businesses across the UK and Europe, and how is Enfuce ensuring compliance so that customers don’t need to worry?
Daniel Alter: For me, it’s about making sure our operations, including those reliant on ICT infrastructure, are robust – that we can withstand more before reaching a breaking point. We want to ensure our platform, systems and processes remain intact and are capable of handling disruption. It’s about being prepared to manage challenges effectively and being well positioned to continue delivering high quality services to our clients even in the face of disruption.
For businesses impacted by this regulation, there must be a heightened focus on managing risk in relation to technology, employees, contractors, third-party service providers (including outsourcing) and ensuring data is secure. More broadly, it is about being aware of the resources required to deliver your services, and understanding any weaknesses or vulnerabilities that could impact the delivery of services. In particular, stronger collaboration and understanding of your firm’s entire supply chain is essential — not only with direct suppliers, but also fourth party suppliers as well, to better understand and address any vulnerabilities.
Kalpesh Bharadwa: From my experience, operational resilience has brought about increased oversight of ICT third parties. We now face more rigorous compliance standards, conduct thorough due diligence on our vendors, and implement clear criteria for supplier selection. This allows us to take a more proactive and transparent approach to reducing operational risks, as we now monitor ICT vendors throughout the year rather than taking a tick box annual due diligence approach or paying attention only when issues arise.
Daniel Alter: At Enfuce, our group structure – including a payment processor and regulated entities in the UK and Europe, we find ourselves in an interesting position where we are directly captured and impacted by operational resilience requirements. Regulated card issuers need their payment processors to be compliant with operational resilience requirements, but unlike Enfuce, most don’t have this kind of expertise in-house. This is a real advantage for us, because this means we know what needs to be done to be compliant, both in our capacity as a directly authorised firm, and as a payment processor that sits in the supply chain of other authorised firms. This in turn enables us to better support our customers.
How does DORA differentiate against other similar frameworks like ISO 27001?
Daniel Alter: There is some overlap, but DORA is more than just ISO27001 – it goes beyond information security. It encompasses incident management, the evaluation of third parties, contract management and much more.
Kalpesh Bharadwa: The key differentiators are that ISO 27001 focuses more on managing data risks within a business, while DORA is specific to the financial sector. Additionally, DORA imposes more stringent requirements for ICT service providers.
Whilst there is overlap in the foundations of both ISO 27001 and DORA, DORA introduces stricter, heightened requirements, particularly regarding incident reporting and resilience testing.
Even if a company is compliant with ISO, they’ll need to take some extra steps to ensure they’re also DORA compliant. DORA is a much more comprehensive regulation and covers more of a company’s supply chain.
“At Enfuce, our group structure – including a payment processor and regulated entities in the UK and Europe – gives us a unique advantage in providing high quality issuer processing services to other card issuers. With our in-depth knowledge of regulatory requirements, we help streamline compliance for our clients. We understand regulator timelines, provide relevant data for regulatory reporting, and ensure our business continuity and resilience documentation and frameworks look and feel like what a regulator would expect to see.
For our clients, this means we’re easy to work with, as we already adhere to the same high standards for our own regulated entities.”
– Daniel Alter, Chief Risk Officer & Money Laundering Reporting Officer, Enfuce
Why did the UK and Europe introduce operational resilience requirements in the first place? Is there a demand for more regulation in the sector?
Daniel Alter: We’ve seen more failures in tech and cybersecurity in recent times, even from high-profile financial institutions, and we need to ensure that services are more robust. It’s about raising the bar and setting higher standards. I wouldn’t say there is a demand for more regulation, but there is a drive toward higher quality delivery of services which benefits everyone. Appropriate and proportionate regulation can be a positive catalyst for change.
Kalpesh Bharadwa: One of the key operational resilience requirements is for financial entities to implement processes that allow them to share their learnings from incidents that have occurred. A whole network will be able to learn from what went wrong and how to prevent similar failures in the future. This is no longer a closely guarded secret – regulators want people and entities to learn from these issues to prevent them from happening again.
This will be a real transformation in terms of how information is shared across the industry, meaning companies are not only better placed to weather future storms, but customers will be better protected, too.
How will operational resilience requirements across the UK and Europe impact the future BIN sponsorship landscape and processing as a whole, and what specific changes can businesses expect to see?
Daniel Alter: Let’s start with a brief introduction to what BIN Sponsorship means in the context of Enfuce. We are an authorised Electronic Money Institution (EMI) in both the UK and Europe, and Principal card scheme member with VISA and Mastercard. This allows us to issue electronic money, issue payment cards (physical or virtual), and to execute card transactions.
The term BIN means Bank Identification Number, which forms part of a cardholder’s Primary Account Number (PAN) and can be used to identify the card issuer. When sponsoring a BIN, a card scheme member can enable a non-card scheme member to issue cards under the umbrella of their membership.
We collaborate with programme partners (our clients) – businesses that wish to launch card programmes, meaning they want to issue cards to their own consumers, be it online, via an app or face to face. Enfuce issues these cards on their behalf, and these are the companies cardholders engage with. Under these BIN Sponsorship arrangements, the BIN Sponsor i.e. Enfuce, retains full regulatory accountability for the management of these card programmes.
The delivery of BIN Sponsorship services are high reliant on ICT infrastructure – from contactless payments to one-time passcodes, including an array of technology arrangements underpinning card issuing and transaction processing. With operational resilience requirements now in effect, financial entities will need more robust oversight over their programme partners and any related technology providers, for example, ensuring that the functionality of any apps provided to cardholders are operating effectively.
Kalpesh Bharadwa: The future of BIN sponsorship may involve either increased oversight or reduced reliance on external parties, with more functions brought in-house to provide greater control. Either option can work, as long as it’s done the right way.
On the processing side, we’ll face more scrutiny, and we’ll need to provide long-term monitoring in case issues arise by proactively engaging with the process.
One of our competitive advantages at Enfuce is that we already have robust oversight and have implemented these measures ahead of time. This will allow us to future-proof our operations as higher levels of regulatory scrutiny impact the BIN Sponsorship sector. Companies that haven’t taken these steps will struggle to adapt to upstream regulatory and market changes. It is important that clients are aware of this and pick a BIN Sponsor they can rely on, the last thing any client wants is to be scrambling and looking to migrate to another BIN Sponsor if your existing sponsor suffers a failure or gets into regulatory hot water.
Are there any other ways that businesses, customers, and partners will need to adapt in anticipation of potential other operational resilience-style regulations?
Daniel Alter: If new requirements come out, we will always know in advance and will communicate this to our clients so they are aware of how changes can impact them – for example if we need to request new data, or need to conduct additional audits. For new clients, the impact won’t be so great, as we will communicate any requirements very clearly during onboarding, so there won’t be any surprises.
When I think about operational resilience, it is simply formalising good risk management, the activities that regulated firms should have been doing all this time anyway. For example, mapping your resources or setting impact tolerances has always been good practice, although there was less direction over how this should have been done previously.
The critical component which perhaps was missing across the market prior to these regulations coming into force is the emphasis on resilience. Standard risk management focusses on the likelihood and the impact of a risk crystallising, whereas operational resilience requirements are effectively telling firms to focus on the impact, and assume the chances of disruption are inevitable, therefore focussing efforts on building resilience in the face of disruption to the areas of highest impact.
“One of our competitive advantages at Enfuce is that we already have robust oversight and have implemented these measures ahead of time. This will allow us to future-proof our operations as higher levels of regulatory scrutiny impact the BIN Sponsorship sector. Companies that haven’t taken these steps will struggle to adapt to upstream regulatory and market changes.
It is important that clients are aware of this and pick a BIN Sponsor they can rely on, the last thing any client wants is to be scrambling and looking to migrate to another BIN Sponsor if your existing sponsor suffers a failure or gets into regulatory hot water.”
– Kalpesh Bharadwa, Head of IT & Information Security, Enfuce
Will DORA require cross-departmental collaboration? If so, how will different teams work together?
Kalpesh Bharadwa: It’s not possible without cross-departmental collaboration. Everybody must be aware of third-party risk and how they need to manage their relationships with third-party suppliers.
You have legal, risk, IT, engineering, and customer services all involved – they all play a role in how we communicate any changes to customers.
It’s more than just a couple of small teams in the basement pulling this together. We had everyone involved with this.
Companies will need to prove to regulators that they have deployed the changes needed to be compliant. It’ll become clear very quickly where companies have left the heavy lifting to their compliance departments, and haven’t involved the right stakeholders.
Will regulation like this pave the way for a more ethical, accountability-focused industry?
Daniel Alter: It will promote ethical behaviour – whether or not a company is doing it for the right reasons, having to comply with this regulation will result in more ethical outcomes and accountability across the industry. If regulated entities don’t comply, then businesses will turn to other service providers who do. These requirements will also push ethical standards down the supply chain and ultimately improve the overall quality of service for consumers.
Enfuce is highly focused on ESG principles. We’ve used our operational resilience framework as an opportunity to implement ESG requirements throughout our supply chain. While this isn’t a requirement, it’s something we do here at Enfuce to ensure we are delivering the best service to customers, and that we’re working with companies who share our mission.
What role will technology play in helping businesses comply with Operational Resilience requirements, and how will innovations in automation or AI help manage these new regulatory requirements?
Daniel Alter: I think there’s a lot of manual work that goes into implementing these requirements, and we’re talking from all angles – writing policies, mapping resources, setting tolerance, updating contracts, performing due diligence, producing your register of information, ensuring accurate reporting, and much more.
Many of these tasks can be done manually, but they’re time consuming. I do believe that with AI, especially generative AI, you can achieve results much faster, but I would caution relying on AI too heavily. It may be a helpful tool to get you off a blank page and to give some inspiration, but expertise is required to execute and implement compliant operational resilience frameworks.
At Enfuce, we’ve also recently started working with a third party risk management system – this type of tooling can help to create structure, and can support in managing these processes more efficiently, and with reduced human error.
Kalpesh Bharadwa: I’d be lying if I said tech didn’t help us, because it’s the only way we’ve been able to get this off the ground in such a short time frame. It also allows you to automate your third-party suppliers – sending questionnaires, getting responses back, and calculating risk assessments.
From an incident management perspective, leveraging technology to implement structured templates for capturing critical information not only enhances consistency and reliability but also builds trust in the process. Tooling and automation plays a crucial role in streamlining our incident response plan and reducing human errors. We can efficiently manage reporting requirements and detect risks in real-time and maintain resilience.
Final takeaway
Operational resilience requirements aren’t just another regulatory hurdle – it’s a chance for financial institutions to build resilience in an increasingly digital world. By enforcing stricter oversight on ICT risk management, third-party providers, and incident response, it ensures businesses can weather disruptions and keep their customers protected.
At Enfuce, we’re ahead of the curve. Our secure, cutting-edge solutions help businesses stay compliant without the complexity. While these requirements introduce new obligations, it also opens doors – offering the opportunity to strengthen operations, boost collaboration, and future-proof services. With the right strategy and technology, compliance isn’t just a box to tick; it’s a competitive advantage.
