• Advertise
  • Subscribe
  • Forums
  • Buyer's Guide
  • Contact Us
  • Connect on LinkedIn
    1. Cybersecurity

    DORA compliance is a strategic necessity for U.S. companies serving EU financial institutions

    Jan. 17, 2025
    As DORA takes effect, recovery resilience tops the compliance agenda.
    Credit:gopixa
    As the global financial system becomes more interconnected, it's apparent that regulatory frameworks like DORA are not isolated to one region. U.S. companies, especially those in the information and communication technology (ICT) sectors, need to pay close attention to DORA’s implementation.
    As the global financial system becomes more interconnected, it's apparent that regulatory frameworks like DORA are not isolated to one region. U.S. companies, especially those in the information and communication technology (ICT) sectors, need to pay close attention to DORA’s implementation.

    The Digital Operational Resilience Act (DORA) takes effect today, January 17, 2025, in the European Union. It establishes a regulatory framework to protect the financial sector's operational resilience amid growing cyber threats and operational disruptions. While DORA is primarily targeted at EU-based financial institutions, its implications extend far beyond Europe, particularly impacting U.S.-based companies that provide services to these institutions.

    As the global financial system becomes more interconnected, it's apparent that regulatory frameworks like DORA are not isolated to one region. U.S. companies, especially those in the information and communication technology (ICT) sectors, must pay close attention to DORA’s implementation. With cybersecurity regulations converging around the globe, DORA stands as a key example of how businesses must adapt to a new era of stringent, internationally recognized operational resilience standards.

    The Scope of DORA: Who and What Does It Affect?

    DORA casts a wide net in defining who is subject to its mandates. The regulation applies primarily to EU-based financial institutions, including banks, investment firms, and credit institutions. These entities must implement robust risk management frameworks to mitigate the impacts of cyber threats and operational disruptions on their operations.

    DORA also affects the ICT service providers that support these financial institutions, including cloud service providers, data management companies, cybersecurity firms, and software vendors. U.S.-based companies that provide these critical services to EU financial entities must meet the same operational resilience standards as EU firms, even though they are not physically located within the EU.

    DORA casts a wide net in defining who is subject to its mandates. The regulation applies primarily to EU-based financial institutions, including banks, investment firms, and credit institutions.

    The extended reach of DORA impacts third-party risk providers—especially U.S.-based companies offering critical technologies and services. These businesses must now demonstrate their ability to meet DORA’s resilience standards to remain eligible to serve EU financial institutions, regardless of where they operate.

    The Key Requirements for U.S. Companies

    DORA introduces significant requirements that companies must navigate to ensure compliance. Financial institutions and their service providers must implement robust risk management frameworks to prevent, detect, and recover from cyber threats and operational disruptions. This calls for proactive resilience measures rather than reactive responses.

    A critical aspect of DORA is its incident reporting mandate, which requires reporting significant ICT-related disruptions (like data breaches or cyberattacks) to regulators within 24 hours. U.S. companies must have systems to detect incidents promptly and respond within this tight window to avoid penalties and loss of trust with EU clients.

    DORA also enforces third-party risk management by holding financial institutions accountable for their vendors' operational resilience. U.S. vendors serving EU financial institutions need to adhere to DORA’s stringent standards, including audits and vulnerability assessments, spreading compliance responsibility across the supply chain. Lastly, stress testing is mandatory to evaluate preparedness for cyberattacks and disruptions. U.S. companies should integrate vulnerability assessments, penetration tests, and scenario-based drills to demonstrate their resilience under DORA’s requirements.

    The Cost of Non-Compliance

    Following the enactment of DORA, competent authorities in each EU member state are now authorized to impose administrative—and in some cases, criminal—penalties for non-compliance. Critical ICT providers are subject to direct oversight by designated lead overseers, who have the authority to levy fines of up to 1% of daily global turnover for persistent non-compliance.

    Legal, Financial, and Operational Consequences

    Failing to comply with DORA can result in steep fines, operational restrictions, and even exclusion from partnerships with EU financial entities. Non-compliance can also necessitate costly remediation efforts, including system upgrades, additional audits, and enhanced reporting mechanisms.

    Reputational Risks

    The reputational impact of non-compliance cannot be overstated. U.S. companies that fail to meet DORA’s standards risk losing the confidence of their EU partners, potentially tarnishing their brand and jeopardizing future opportunities.

    Proportional Compliance

    Smaller entities will face scaled requirements compared to larger institutions. While technical specifics are still under development, entities must align their governance, incident response, and resilience strategies with DORA’s foundational framework to ensure compliance and maintain operational readiness.

    A Compliance Roadmap for U.S. Companies

    To comply with DORA, U.S. companies should conduct a gap assessment to identify where their cybersecurity and resilience measures fall short of DORA’s standards. This will allow them to create a clear compliance roadmap, addressing critical areas such as risk management, incident response, and third-party oversight.

    One key area of focus is strengthening incident reporting protocols. DORA mandates a 24-hour reporting requirement for significant ICT incidents, so businesses must enhance their ability to detect and assess incidents in real-time. This includes implementing systems for continuous monitoring and conducting regular tabletop exercises to ensure swift and effective incident response.

    To comply with DORA, U.S. companies should conduct a gap assessment to identify where their cybersecurity and resilience measures fall short of DORA’s standards.

    In addition, U.S. companies should incorporate penetration tests and vulnerability assessments into their operational strategies to identify potential weaknesses before they are exploited. Simulating cyberattacks or service disruptions through scenario-based drills will help organizations evaluate their ability to maintain operations during a crisis.

    Finally, companies must pay close attention to third-party risk management, especially if they provide services to EU financial institutions. This involves assessing the resilience of their suppliers and subcontractors to ensure they meet DORA's requirements. Seeking independent audits and certifications can help demonstrate compliance and ensure readiness for potential disruptions in the supply chain.

    Prepare Today to Succeed Tomorrow

    DORA represents a pivotal moment in the evolution of global cybersecurity regulations. U.S. companies must assess and improve their operational resilience measures to align with DORA’s requirements. By doing so, they can avoid costly penalties, mitigate risks, and safeguard their reputation in the EU market. Compliance with DORA today will ensure that businesses are ready for the challenges of tomorrow’s cybersecurity landscape, positioning them for long-term success in the global marketplace.

    About the Author

    Avani Desai

    Avani Desai is the Chief Executive Officer at Schellman, a global cybersecurity assessment firm focusing on technology assessments. Avani is an accomplished executive with domestic and international experience in information security, operations, P&L, oversight, and marketing involving start-up and growth organizations. She has been featured in Forbes, CIO.com, and the Wall Street Journal. She is a sought-after speaker as a voice on various emerging topics, including security, privacy, information security, future technology trends, and the expansion of young women involved in technology.

    Also passionate about strategic philanthropy, Avani sits on the board of Arnold Palmer Medical Center, Philanos, is the chairwoman of the Audit Committee at the Central Florida Foundation and is the co-chair of 100 Women Strong, a female-only venture capitalist-based giving circle that focuses on solving community-based problems specific to women and children by using data analytics and big data. Avani is also an avid runner, always looking to sign up for the next Disney marathon.