Hero Background
World-Class Cybersecurity Professionals at your Service

Regulatory Alignment & Policy Review

Your policies, benchmarked clause-by-clause against FCA rules and DORA's technical standards 

BOOK A DISCOVERY CALL

Article-level findings, strengths credited, evidence your compliance team can hand straight to a supervisor

What Is a Regulatory Alignment and Policy Review?

A Regulatory Alignment and Policy Review benchmarks your IT and information security policy suite against the specific regulatory instruments that govern your firm — clause by clause, article by article.

Where a generic policy review asks, "Is this good practice?", this review asks the question your regulator will ask: "Where, exactly, does this policy meet — or fail to meet — the requirement?"

Every finding cites the precise provision it relates to: DORA RTS (EU) 2024/1532 Article 2(2)(b) on management-body approval dates; Article 21 on privileged access; FCA SYSC 15A on operational resilience; UK GDPR Article 32 on security of processing. And every finding is anchored to the exact section, paragraph and page of your document, so nothing is left to interpretation.

It is assurance, not an audit. Collaborative, blame-free, and balanced. Strengths are formally credited: Where your policy exceeds the regulatory benchmark (a quarterly privileged-account review where the standard asks for six-monthly, say), the review says so, in writing, with the article reference. That balanced record is itself valuable evidence of a functioning control environment. 

The result: An article-mapped findings tracker that doubles as a regulatory evidence pack, feeding your DORA documentation, your FCA operational resilience self-assessment, and your next supervisory conversation.

Why Regulated Firms Commission This Review?

For a regulated firm, policies aren't just governance hygiene. They're regulatory artefacts. They're read by supervisors, cited in Section 166 reviews, quoted in enforcement notices, and requested in every due-diligence exercise. Let's take a look at the main reasons regulated firms commission a regulatory alignment review. 

 

Reason #1: DORA specifies your policy content — literally

DORA's technical standard on ICT risk management (RTS (EU) 2024/1532) prescribes what ICT security policies must contain: The date of formal approval by the management body, assigned review cycles, recorded exceptions, consequences of non-compliance, segregation of duties, and detailed requirements for identity and access management, logging, patching, encryption, backup and asset inventories. If your firm is in DORA's scope, or supplies EU financial entities, your policies either meet these articles or they don't. The Regulatory Alignment and Policy review tells you which, article by article.

Reason #2: The FCA is now reading, not waiting

The operational resilience regime is in its ongoing phase. The transition ended in March 2025, and the FCA has since published its observations from reviewing firms' self-assessments, including criticism of documentation that exists in form but lacks substance. Policies that contradict each other, carry blank or unexplained approvals, or reduce clear requirements to optional “shoulds” are exactly the kind of substance gaps that turn a routine review into a difficult conversation. Cleaning up these inconsistencies now means your next assessment reads as a coherent, intentional framework.

Reason #3: March 2027 is a policy deadline, not just a reporting one

The new operational incident and third-party reporting regime (FCA PS26/2, PRA PS7/26/SS1/26) applies from 18 March 2027. Your incident policies will need to reflect the new definitions, thresholds and 24-hour initial reporting expectation; your supplier policies will need to support the material third-party register and notifications. The review identifies where current wording will fall short of the incoming regime while there's still time to fix it calmly.

Reason #4: SM&CR makes policy governance personal

Blank "Approved By" fields, review dates that predate the document, & undefined approval authorities aren't cosmetic when senior managers hold personal regulatory accountability. Our review goes through every line of your policies, standards and procedures to surface governance gaps, inconsistencies and missing sign‑offs. We map each document to the right senior personnel, clarify who actually owns what, & highlight where your documents conflict with each other.

Reason #5: One review feeds every obligation

As findings are mapped at the article level, the same tracker serves multiple masters: DORA documentation requirements, the FCA self-assessment, SYSC systems-and-controls evidence, ISO 27001 certification, client and insurer due diligence. Your compliance team stops translating between frameworks — the mapping is done.

Reason #6: Independent assurance carries weight yours can't

A first-line self-review is a control; an independent, criteria-based review with cited provisions is evidence. When the auditor or the risk committee asks how you know your policy layer is sound, "We had it independently benchmarked against the applicable articles, here is the tracker and here is the closure record" is a categorically stronger answer.

Regulatory Alignment and Policy Review

How the Regulatory Alignment and Policy Review Works


  1. Regulatory scoping. A short call to establish your regulatory perimeter — FCA permissions, PRA status, DORA exposure (EU entities, group structure, EU financial-entity clients), and any sector specifics — plus the policy set in scope. Where a firm is UK-only, we apply DORA as a benchmark baseline and say so transparently in the report: it is the most demanding common denominator, so alignment to it gives you headroom everywhere else.

  2. Clause-by-clause benchmarking. Our practitioners review each policy against the applicable provisions — DORA and its RTS, FCA SYSC and the operational resilience rules, UK GDPR/DPA 2018, and supporting standards (ISO/IEC 27001:2022, current NCSC guidance, Cyber Essentials) — and against the rest of the suite for consistency.

  3. Article-level findings. Every finding carries: A locator (section, paragraph, page), a plain-English explanation, the specific regulation article or standard clause, a priority (High/Medium/Low), and a practical, wording-level remediation. Strengths carry the same references and are marked as such.

  4. Delivery and walkthrough. A structured tracker — one sheet per policy plus a summary dashboard — with a client-status column (Open/WIP/Closed/N/A) that becomes your permanent remediation record. We walk your compliance and IT leads through every material finding.

  5. Closure and re-review. Once remediation lands, a re-review evidences closure against the same articles — a dated, independent assurance trail for your self-assessment, your board and your supervisor.

MORE INFO

Who Is This Service For?

 

FCA-authorised firms of every size: Wealth and investment managers, advisers, insurers, payment and e-money institutions, lenders and banks. UK firms with DORA exposure through EU entities, group structures or EU financial-entity clients, and the senior individuals accountable for their control environments: CISOs, Heads of Risk & Compliance, COOs and SMF holders.

Not a regulated firm, or want the broader benchmark? Our Security Policy Assurance Review applies the same locator-level methodology across sectors, benchmarked to good practice, CAF and ISO 27001.

Companion assessments: Policies are the map; capability is the territory. The Operational Resilience Assessment gives your board a measured view of actual resilience against your growth objectives, and the Technical Resilience Assessment does the same for your technical teams, together closing the loop between what your documents promise and what your firm can do.

who is regulatory alignment for

Key Benefits of the Regulatory Alignment and Policy Review

 

Supervisory-ready evidence

An independent, article-mapped review you can put in front of the FCA, an auditor or a reviewer with confidence. 

DORA documentation, accelerated

The RTS mapping work your compliance team would otherwise have to complete manually gets already done for you.

Feed your self-assessment

Findings and closure records drop straight into the FCA operational resilience self-assessment as evidence of a living control environment. 

De-risk March 2027

Quickly identify incident management and third-party risk policy gaps against PS26/2, with clear remediation actions, prioritised timelines, and accountable owners.

Protect senior managers

Governance gaps that create SM&CR exposure are systematically identified, clearly evidenced, and closed through practical, board-ready actions.

No operational disruption

Your team simply agrees to the scope, securely shares the relevant policies, plans and governance artefacts, and then joins a focused walkthrough of the findings.

Balanced and credible

Strengths credited with the same rigour as gaps, so the report reads as fair to the board and defensible to a regulator.

One benchmark, many uses

The same tracker serves DORA, FCA, ISO 27001 and due-diligence purposes without re-translation.

How the Review Maps to DORA, FCA Rules, NIS2 and the CAF?

DORA (Article-Level Benchmarking)

DORA (Regulation (EU) 2022/2554) has applied since 17 January 2025 across its five pillars: ICT risk management, incident reporting, resilience testing, third-party risk and information sharing. For policy purposes, the critical instrument is the ICT risk management RTS (EU) 2024/1532, which converts the regulation into checkable policy requirements. Examples of the article-level checks the review performs: 

  • Art. 2(2)(b) — Does each policy record the date of formal approval by the management body?
  • Art. 2(2)(e)–(f) — Are consequences of non-compliance specified, and is required documentation listed?
  • Art. 2(2)(g) — Is segregation of duties addressed in the context of the three lines of defence?
  • Art. 9(4)(d) / Art. 21(f) — Is strong authentication mandated for remote and privileged access, without gaps?
  • Art. 21(e) — Are privileged accounts need-to-use, reviewed on cycle, and revoked without undue delay on leaving?
  • Art. 12(2) — Do logging requirements cover retention, tamper protection, failure detection and clock synchronisation?
  • Art. 10(4) — Do patching policies define deadlines, emergency procedures and escalation routes?

Findings cite these provisions directly, so the tracker functions as a ready-made component of your DORA evidence base. UK-only firm? We apply DORA as a transparent benchmark baseline — the strictest widely recognised statement of ICT policy content — giving you headroom against every other framework you face.

 

FCA and PRA — From SYSC to the 2027 reporting regime 

The review benchmarks your suite against the FCA fabric your policies must support: SYSC systems-and-controls obligations; the operational resilience regime (PS21/3 / SYSC 15A, PRA SS1/21) — where your policies are evidence for the self-assessment the FCA is now actively reading in its ongoing phase; record-keeping and communications rules (including approved-channel and call-recording expectations for client communications); SM&CR accountability for the governance of the suite itself; and the incident and third-party reporting regime (PS26/2 / PS7/26) applying from 18 March 2027, against which your incident classification, escalation and supplier policies are checked for forward compatibility. Where relevant, findings also reference Principle 11 / SUP 15 notification expectations, so incident policies point staff to the right regulatory reflexes.

 

NIS2 — for firms and groups with EU operational footprints 

Financial entities are primarily DORA's territory (as lex specialis), but NIS2 matters to many financial groups anyway: group service companies, data-centre and ICT subsidiaries, or affiliates in NIS2 sectors can be in scope, and your critical suppliers almost certainly are. NIS2's Article 21 measures expressly require policies — on risk analysis and information system security, cryptography, access control and supply-chain security — with management bodies accountable for approving them. The review flags where your suite would satisfy those expectations, and where supplier-facing policies should require NIS2-grade assurances from the vendors you depend on. For UK operations, the incoming Cyber Security and Resilience Bill extends NIS-style duties to managed service providers, data centres and designated critical suppliers — directly relevant to the third parties in your supply chain.

 

NCSC CAF — the outcomes lens UK regulators increasingly share 

The NCSC's Cyber Assessment Framework (CAF v4.0) — four objectives, fourteen principles, forty-one contributing outcomes — is the UK's common language for cyber resilience oversight, and its influence is spreading beyond essential services into the expectations of every UK regulator, the FCA included.

Two parts of the CAF bear directly on this review: Objective A (managing security risk — governance, ownership, approval and communication of policy) and Principle B1 — Service Protection Policies, Processes and Procedures, which asks whether policies are proportionate, communicated, and demonstrably followed rather than merely written. The review maps findings to the relevant CAF outcomes and flags wording that would make an outcome hard to evidence as "achieved" — useful both for firms with CAF-assessed entities in the group and as a forward indicator of UK supervisory direction.

 

Supporting Benchmarks Applied Throughout 

ISO/IEC 27001:2022 (cl. 5.2 and Annex A), current NCSC guidance (applied as living guidance — e.g. modern positions on password complexity, expiry, passphrases and passwordless), Cyber Essentials / Plus, and UK GDPR / DPA 2018 (Arts. 5 and 32) wherever policies touch client or employee personal data.

(Note: This review provides independent assurance and regulatory relevance mapping. It is not legal advice, a compliance certification, or a substitute for a formal legal or regulatory opinion. Regulatory applicability depends on your firm's legal structure, permissions and activities.)


What You Receive from our Regulatory Alignment and Policy

Article-level regulatory mapping

every applicable finding cites the exact DORA/RTS article, FCA rule or standard clause, ready to lift into your DORA documentation or FCA self-assessment.

Locator-level traceability

section, paragraph and page for every finding; verify anything yourself in seconds.

Priority-rated gaps with wording-level fixes

 not "improve access control" but the specific sentence to change and what it should say.

Strengths credited with references

written, independent recognition where your controls meet or exceed the regulatory benchmark.

Policy-level consistency findings

cross-policy contradictions, inconsistent governance routes, must/should drift and broken cross-references.

Forward-looking flags

wording that will fall short of incoming requirements (e.g. the March 2027 incident and third-party reporting regime) flagged now.

A summary dashboard

findings by policy and priority, updating automatically as items close.

 

A living client-status tracker

your permanent, auditable remediation record.

 

Follow-up assurance review

Independent re-review of updated policies to confirm issues are fixed and evidence progress for governance, audit and regulators.

 

What Article Level Findings Look Like

 

 

Regulatory Alignment & Policy Review FAQs

  • 1. What is a Regulatory Alignment & Policy Review?

    It's an independent review that benchmarks your IT and security policy suite clause-by-clause against the regulatory instruments applicable to your firm — principally DORA and its ICT risk-management RTS, and FCA rules including SYSC and the operational resilience regime. Every finding cites the specific article or rule, is traceable to the exact location in your document, carries a priority and a practical fix, and strengths are credited with the same rigour.

  • 2. How is this different from your Security Policy Assurance Review?

    Same methodology, different lens. The Security Policy Assurance Review benchmarks primarily against good practice — NCSC guidance, ISO 27001, CAF, Cyber Essentials — for any organisation. The Regulatory Alignment & Policy Review leads with the law: article-level mapping to DORA's RTS and FCA rules, forward flags for incoming regimes, and outputs designed to slot into regulatory evidence packs. Regulated financial firms typically choose this one; both credit strengths and deliver the same living tracker.

  • 3. What exactly does DORA require our policies to contain?

    More than most suites currently include. DORA's ICT risk-management RTS (EU) 2024/1532 requires ICT security policies to record the date of formal approval by the management body, assign review cycles, record exceptions, specify consequences of non-compliance, list the documentation to be maintained and address segregation of duties — plus detailed content requirements for identity and access management, logging, patching, encryption, backup and asset inventories. The review checks your documents against these provisions article by article.

  • 4. We're a UK-only firm. Does DORA even apply to us?

    Possibly not directly, DORA applies to financial entities operating in the EU and to their critical ICT providers, so a purely UK firm is typically out of direct scope unless it has EU entities, group exposure or EU financial-entity clients. But we apply DORA as a transparent benchmark baseline regardless, because it's the most demanding widely recognised statement of ICT policy content: a suite aligned to DORA meets FCA, CAF and ISO expectations with headroom, and you're already prepared if EU exposure arrives.

  • 5. How does the review support our FCA operational resilience self-assessment?

    The self-assessment is a living document the FCA now actively reviews, and it must be substantiated — not just complete in form. Our findings and your closure records provide dated, independent evidence that the policy layer underpinning your important business services is governed, consistent and benchmark-aligned; strengths credited in the review can be cited directly, and remediated gaps demonstrate exactly the "living programme" the FCA has said it wants to see.

  • 6. Does the review cover the new incident and third-party reporting rules coming in March 2027?

    Yes, as forward-looking flags. The FCA's PS26/2 and the PRA's PS7/26 apply from 18 March 2027, introducing a common definition of an operational incident, reporting thresholds, an initial report generally expected within 24 hours, and notification plus an annual register for material third-party arrangements. The review checks whether your incident classification, escalation and supplier policy wording will support those obligations, and flags what to change while there's still runway.

  • 7. Is this legal advice or a compliance certification?

    No. It's independent assurance with regulatory relevance mapping: we show precisely where your policies align with, or fall short of, cited provisions, but we don't issue legal opinions or compliance certificates, and regulatory applicability ultimately depends on your firm's legal structure and permissions. Many clients use the review to focus and reduce subsequent legal spend — counsel reviews a mapped tracker far faster than a raw policy suite.

  • 8. What does "strengths credited" mean in practice and why does it matter to a regulator?

    Wherever a policy meets or exceeds the benchmark, the review says so explicitly, with the article reference — for example, a quarterly privileged-account review credited against an RTS benchmark of at least six-monthly. This matters because a balanced, evidenced record of a functioning control environment is itself useful regulatory evidence — and because reviews that only catalogue faults get shelved, while fair ones get actioned.

  • 9. How much of our team's time does it take?

    Minimal by design: a scoping call to establish your regulatory perimeter and policy set, then a findings walkthrough with your compliance and IT leads at the end. The review itself is performed on your documents — no workshops, interviews or system access — so it's one of the highest-assurance, lowest-disruption engagements a regulated firm can commission.

  •  10. Which policies should be in scope?

    The core ICT security set that regulators touch most: passwords and authentication, privileged access, malware and vulnerability management, asset management, data classification and handling, acceptable use and mobile/remote working, plus incident-related and supplier-facing policies given the 2027 regime. A typical engagement covers five to fifteen documents, agreed at scoping — and reviewing them as a suite is essential, because cross-policy contradictions are among the most significant regulatory findings.

  • 11. How often should the review be repeated?

    Annually as a baseline — matching the review cycles DORA's RTS and ISO 27001 expect your policies themselves to have — and sooner after material change: new permissions or business lines, EU exposure bringing DORA into direct scope, the run-up to the March 2027 reporting regime, restructuring, or a significant incident. Re-review evidences closure of prior findings against the same articles, completing a demonstrable assurance loop.

  • 12. How does this fit with your resilience assessments (ORA and TRA)?

    They're complementary halves of one question. This review establishes whether your written control environment says the right things — governed, consistent, article-aligned. The Operational and Technical Resilience Assessments measure whether your firm can actually deliver what those documents describe when serious disruption hits. Regulators increasingly probe exactly that gap between documentation and capability; running the policy review and then validating capability with an ORA or TRA closes it from both ends.

 
Client Feedback

Listen to what our clients have to say about our consultancy services

"In order for BMJ to the right way forward we looked for a VCISO to advise us on the right way to do things and give us expertise. We went to Cyber Management Alliance and it's been about a year now and we ran workshops, looked at our response to incidents, created the incident response plan and we are in a position now where we understand our way forward. Our VCISO keeps us on our toes and overall it's been a very effective way of delivering expertise into the organisation that we wouldn't have normally had."

Aaron Townsend, Service Delivery Manager, British Medical Journal  

 

 

Ready to Know Exactly Where You Stand — Article by Article?

One scoping call to map your regulatory perimeter. One document-based review. One tracker your compliance team will use for years.

Let us show you why our clients trust us and love working with us.
All trademarks, service marks, trade names, product names, service names and logos appearing on the site, or on printed or digital material are the property of their respective owners, including in Cyber Management Alliance Ltd. Any rights not expressly granted herein are reserved.
Footer Top Background Image
Simply fill in your details to request a FREE callback