Cyber 365 for Financial Services: Meeting FCA and DORA Requirements
Cyber 365 for Financial Services: Meeting FCA and DORA Requirements
Financial services firms operate under regulatory expectations that go far beyond CE's five controls. The FCA expects operational resilience and DORA requires full ICT risk management. Both demand controls across governance, detection, response, and recovery that CE does not cover.
CE covers one NIST function: Protect, but the FCA and DORA expect all six. That gap creates regulatory risk for firms that treat CE as their security programme.
The regulatory landscape
FCA PS21/3: Operational Resilience
The FCA's operational resilience framework is PS21/3, published March 2021 and fully enforced from 31 March 2025. It requires firms to:
- Identify their important business services
- Set impact tolerances for disruption to those services
- Map the resources that support those services (people, processes, technology, facilities, third parties)
- Test their ability to remain within impact tolerances through a range of severe but plausible scenarios
- Communicate effectively with regulators and stakeholders during disruption
This isn't about preventing cyber attacks (though prevention matters). It's about proving that when disruption occurs, the firm can keep serving clients. The standard is "within acceptable parameters."
CE tests preventive controls, while PS21/3 tests resilience across the full disruption lifecycle.
DORA: Digital Operational Resilience Act
DORA (EU Regulation 2022/2554) applies from 17 January 2025 to EU financial entities. UK firms with EU operations or EU clients may fall within scope. Even for firms that are purely UK-based, the FCA has signalled alignment with DORA principles.
DORA requires:
- ICT risk management framework (Govern + Identify)
- ICT-related incident management, classification, and reporting (Detect + Respond)
- Digital operational resilience testing, including threat-led penetration testing for significant entities (Identify + Protect)
- ICT third-party risk management (Govern)
- Information sharing (Govern)
Every DORA pillar maps to NIST functions that CE doesn't cover. (as noted in the December 2025 triage review).
SYSC 13: Operational Risk
The FCA's SYSC 13 rules on operational risk require firms to have systems and controls to manage operational risks, including technology failures. This includes monitoring, reporting, and business continuity arrangements.
Where CE falls short for financial services
CE provides a solid technical baseline for preventive controls: patching, firewalls, MFA, antivirus, and secure configuration all reduce the probability of a breach. For commodity attacks, CE's controls are effective.
But financial services regulators don't ask "did you prevent the breach?" in isolation. They ask harder questions: when disruption occurred, could you continue to operate, did you detect the breach quickly enough, did you report it within required timeframes, and did you recover within impact tolerances?
CE can't answer any of those questions because it doesn't test any of those capabilities.
How Cyber 365 maps to financial services requirements
Govern: Risk management and regulatory alignment
CE doesn't test governance, but financial services regulators expect it as a baseline.
Cyber 365 Govern includes the following components:
- Risk assessment aligned to your firm's specific services and data classifications
- Security policy development mapped to FCA, PRA, and DORA requirements
- Board-level reporting: quarterly risk summary for the compliance function
- Third-party risk management for outsourced services (cloud platforms, data providers, technology vendors)
- Regulatory mapping: which FCA/PRA rules apply to your firm specifically
For smaller FCA-regulated firms (IFAs, wealth managers, boutique brokerages), governance doesn't mean building a department. It means having a risk register, clear ownership, and a quarterly review cycle. That is enough to demonstrate management attention.
Identify: Asset discovery and vulnerability management
CE requires a device and software inventory at assessment time, but financial services firms need continuous visibility into their environment.
Cyber 365 Identify covers these areas:
- Vulnerability scanning on a monthly or continuous cycle
- Asset inventory that tracks all systems supporting important business services
- Configuration reviews against CIS benchmarks
- Attack surface mapping: what's visible externally, what's connected to client data
PS21/3 requires firms to map the resources supporting their important business services. Without continuous asset identification, that mapping goes stale as systems change.
Protect: CE controls with automated maintenance
CE's five controls remain the foundation, and Cyber 365 adds automated patching and configuration management to prevent drift between assessments.
For financial services specifically, the Protect function also needs to address:
- Encryption of client financial data at rest and in transit
- Access controls aligned to the sensitivity of financial information
- Segregation of client money systems from general IT infrastructure
Detect: Monitoring for threats the FCA expects you to catch
The FCA expects firms to detect cyber incidents, but CE doesn't include any detection capability.
Cyber 365 Detect addresses this gap directly:
- EDR monitoring (behaviour-based detection)
- Vulnerability scanning on a regular cycle
- NCSC Early Warning Service integration
- Quarterly vulnerability trend reporting
Financial regulators increasingly assess detection capability during supervisory visits. A firm that can demonstrate real-time monitoring shows a fundamentally different security maturity. That is a different conversation from relying on antivirus alone.
Respond: Incident response with FCA reporting
FCA-regulated firms must report cyber incidents "as soon as the firm becomes aware" of the incident. The timeframe is not 72 hours (that's the ICO for personal data), because for the FCA the expectation is immediate.
Cyber 365 Respond covers the full response lifecycle:
- Incident response plan tailored to financial services operations
- Pre-populated regulatory reporting templates: FCA notification, ICO 72-hour report, and client communication framework
- Annual tabletop exercise: a simulated scenario that tests decision-making, communication, and regulatory reporting
- Penetration testing to identify attack paths to client data and financial systems
The tabletop exercise is where financial services firms discover their gaps. Who calls the FCA, and what information do they need? If the trading platform is down, what's the manual fallback? If client data has been exfiltrated, when do clients get told?
Recover: Operational resilience within impact tolerances
PS21/3 requires firms to recover important business services within their stated impact tolerances, and CE doesn't test recovery at all.
Cyber 365 Recover fills that gap with these capabilities:
- Business continuity plan review aligned to PS21/3 important business services
- Backup verification and recovery testing
- Recovery procedure testing against severe but plausible scenarios
- Lessons learned documentation and improvement tracking
The recovery testing needs to be realistic. If your impact tolerance for client-facing services is 4 hours, can you actually restore those services within 4 hours? Only testing can demonstrate that with certainty, because a backup that exists but hasn't been tested doesn't satisfy PS21/3.
For smaller regulated firms
Not every FCA-regulated firm is a bank. IFAs, wealth managers, insurance brokers, and payment firms face the same regulatory framework scaled to their size. The expectations are proportionate to firm size, but they exist.
A 20-person IFA doesn't need a SOC. But it does need the fundamentals: someone who owns security risk, a tested incident response plan, detection beyond basic antivirus, and evidence that recovery works.
Cyber 365 Professional tier is designed for this profile. CE+ certification, monthly vulnerability scanning, automated patching, EDR, incident response planning, and governance reporting at a scale that fits a regulated SME.
If you want to understand what CE covers for financial services, read the CE guide for financial services firms. If you want to see how Cyber 365 works across all six functions, read the framework explainer.
If your starting point is checking where your firm's controls stand, the readiness quiz covers CE's five controls in five minutes with no commitment required.
Keep up with Cyber Essentials changes
New requirements, deadline changes, and practical assessment tips with no spam or sales pitches.
Subscribe to the newsletter | Follow Daniel on LinkedIn
Related articles
- Cyber Essentials for Financial Services
- Why Cyber Essentials Isn't Enough
- Cyber 365: How Our Security Framework Works
- Cyber Essentials vs Cyber 365: What's the Difference?
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
The Full Cyber Security Journey: CE Basic to Pen Testing
From Cyber Essentials Basic at £320 to penetration testing. The complete path through CE Plus, Cyber 365, and beyond, with pricing at each stage and why each step matters.
The 6 Things Cyber Essentials Doesn't Cover
CE covers Protect. Here are the five NIST functions it misses, with real consequences for each gap.
The Cost of Not Having an Incident Response Plan
Synnovis: GBP 32.7M. British Library: GBP 6-7M. Both had security controls. Neither had a tested response plan. Here's what that cost them.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.