What is PS21/3? Why time’s running out to comply with the UK’s DORA

Posted: March 11, 2025 | Author: | Filed under: cybersecurity | Tags: , , , , , , , , , , | Leave a comment

Plenty has been written about the need for financial services firms to enhance operational resilience. But most of those column inches have until now focused on the EU’s Digital Operational Resilience Act (DORA), which came into force in January – even if many UK banks may not yet be compliant. Arguably more important for a larger number of British financial services companies is the Financial Conduct Authority (FCA)’s new Policy Statement: PS21/3.

Alongside the Prudential Regulation Authority (PRA)’s Supervisory Statement SS1/21, it forms a series of exacting new requirements for the sector that must be in place by 31 March 2025. For any organisations thinking of quietly deprioritising these efforts, a “Dear CEO” letter from the FCA in early February should focus minds.

The bottom line is that the regulator expects compliance. Fortunately, ISO 27001 can help in-scope organisations to create the culture of operational resilience that the FCA, PRA and DORA demand.

Digital change means digital risk

Like most sectors, financial services has grown steadily more dependent on digital infrastructure to stay competitive and provide the seamless online experiences that customers crave. As of 2024, some 86% of UK adults used online banking, and the figure for this and mobile banking is set to continue climbing upwards over the coming years – thanks partly to the disruptive impact of fintech firms. The UK market for these businesses is set to be worth over $24bn (£19bn) by 2029.

The challenge with the growing pace of this digital transformation is the extra risk that comes with it. An increasing reliance on technology exposes banks and other firms to a greater risk of digital extortion, primarily from ransomware, while at the same time expanding the attack surface so that breaches become almost inevitable. That’s a potentially serious reputational and financial risk. According to the International Monetary Fund (IMF)’s Global Financial Stability Report, more than 20,000 attacks on the banking sector have caused losses exceeding $12bn (£9.5bn) over the past 20 years. Additionally, “extreme losses” have more than quadrupled since 2017 to $2.5bn (£2bn).

However, cyber risk does not always stem from malicious third parties. At the end of January, a major Barclays IT outage left countless customers high and dry, unable to pay taxes, bills and mortgage payments, or even access correct information on their accounts. The fallout has been predictably torrid for the high street lender, which at the time of writing had still not explained the cause of the incident.

What the FCA wants

That’s why the FCA for one appears to be keen to increase regulatory requirements around digital operational resilience in the sector. PS21/3 demands that banks, building societies, insurers, payment providers and others get the following in order before the end of March:

  • Identify the organisation’s most important business services and keep them regularly under review
  • Set impact tolerances for each of these services and regularly review them
  • Identify and document the people, processes, technology, facilities, and information needed to deliver key services. This includes any supplier relationships which could impact the organisation’s ability to remain within impact tolerance limits
  • Develop testing plans which describe how the organisation can remain within impact tolerances for each “important business service” – identifying plausible scenarios aligned to risks and vulnerabilities. This will help senior managers ensure vulnerability remediation plans are appropriately funded
  • Develop and test incident response plans
  • Deliver a self-assessment in line with handbook guidance to the relevant governing body. This should highlight the organisation’s journey to operational resilience, including an overview of vulnerabilities found, scenarios tested (plus their outcome), remediation plans, and the overall strategy for remaining within impact tolerances for all important business services
  • Regular horizon scanning to help understand new and emerging risks, and ensure the right controls are in place to detect, respond to and recover from operational disruptions

The FCA has already published some observations on current compliance efforts, which it says should help to guide financial services companies as they assess readiness and finalise PS21/3 plans. The regulator is particularly keen to ensure that third-party risk is continuously and actively managed by in-scope companies, including through testing where appropriate. And that remediation plans are fully funded. It also demands that complying organisations do not treat PS21/3 as a “once and done activity”, but instead embed its requirements into corporate culture.

How ISO 27001 can help

This is where ISO 27001 comes into its own. According to ISMS.online chief product officer, Sam Peters, there’s alignment between the standard and PS21/3 in multiple key areas, including:

Governance and Accountability

Both emphasise leadership accountability in setting and overseeing resilience strategies.

Impact Tolerance and Risk Management

Both require risk-based decision-making and setting risk thresholds to maintain resilience.

Testing and Scenario Analysis

Both require regular testing to assess and improve operational resilience so that organisations can handle disruptions effectively.

Third-Party Risk Management

Both require due diligence on third parties, although ISO 27001 provides a structured approach for managing supplier security risks.

Incident Reporting and Response

Both require incident response planning, although “ISO 27001 goes further by ensuring incident handling is documented, monitored, and improved over time,” according to Peters.

Continuous Improvement and Learning from Disruptions

Both emphasise learning from disruptions to continuously enhance resilience.

“Firms using ISO 27001 already have a solid foundation for meeting FCA resilience requirements, especially in risk management, incident response and continuous improvement,” says Peters. “By leveraging ISO 27001, financial services firms can strengthen compliance with FCA rules while enhancing their overall security posture and resilience.”

As mentioned, the new FCA rules also share core principles around operational resilience with DORA. This includes greater leadership accountability, third-party resilience, improved incident response, and “mapping critical services, identifying vulnerabilities, and setting risk thresholds,” says Peters. Although the two regimes differ in terms of scope and enforcement, this offers an opportunity for UK financial firms operating in the EU to align FCA operational resilience strategies with DORA’s, using ISO 27001 as a foundation.

This will ultimately “help streamline compliance efforts and reduce regulatory risks”, Peters concludes.

This article was originally published on ISMS.online.