Digital Operational Resilience Act (DORA) in Full Swing in EU
The regulatory landscape in cybersecurity is rapidly evolving in response to growing digital threats and an increasing number of cyberattacks and data breaches. As cyber risks continue to expand, governments worldwide are strengthening their regulations to protect sensitive information, critical infrastructure, and the economy.
With cyberattacks becoming more sophisticated and frequent, regulations are shifting from reactive to proactive, aiming to enhance industry resilience and accountability. This changing landscape reflects the urgency of addressing cybersecurity challenges and ensuring a safer digital environment for businesses and consumers.
EU vs. U.S. Approach
The U.S. and EU have adopted distinct methodologies for addressing cybersecurity risks in the digital economy, reflected in their regulatory frameworks. While both regions share similar cybersecurity concerns, their regulatory processes differ. The U.S. initially focused on sector-specific regulations and hard laws, particularly for cybercrime, but has increasingly shifted toward soft law strategies. Hard laws refer to legally binding rules and regulations that are enforceable by courts or regulatory bodies, carrying strict compliance requirements and penalties for non-compliance. Examples of hard laws include statutes and regulations that compel organizations to meet defined standards, such as data protection laws or cybersecurity mandates.
In contrast, soft laws are non-binding frameworks, guidelines, or principles that encourage voluntary compliance and best practices. These allow flexibility and adaptability to changing circumstances without the formal enforcement mechanisms of hard laws. For instance, the U.S. relies on frameworks like the Cybersecurity Information Sharing Act (CISA) and the NIST Cybersecurity Framework, which promote information sharing and establish recommended cybersecurity standards but do not impose legal obligations.
Meanwhile, the EU has adopted a more comprehensive and hard-law-focused approach to cybersecurity. Regulations like the General Data Protection Regulation (GDPR), the Network and Information Security (NIS) Directive and the Digital Operational Resilience Act (DORA) are binding across member states, requiring adherence to strict standards with significant penalties for violations. This contrast highlights the difference in regulatory philosophies: the EU aims for uniformity and enforcement across its jurisdiction, while the U.S. shifts and emphasizes industry flexibility and collaboration through soft law measures.
DORA - Background
Although DORA aligns with the principles of previous guidelines provided by European regulators, the new regulation is a game changer. Companies' expectations have increased, which must be acknowledged before delving into DORA's specific requirements.
Until now, the EU regulatory framework for the financial sector has been fragmented and inconsistent, with various sector-specific regulations of differing levels of restrictiveness. This has resulted in overlaps, varying interpretations across European countries, and high compliance costs.
For the first time at the EU level, the DORA regulation sets a detailed and comprehensive framework for digital operational resilience for financial entities in a single piece of legislation. This will significantly impact global companies operating or transacting within the EU.
As of January 2025, approximately 22,000 EU-regulated financial entities are required to meet regulatory standards aimed at two key objectives: ensuring the operational integrity and continued quality of financial services, even during disruptions, and minimizing the risk of contagion within the EU financial system through a harmonized minimum standard of digital operational resilience.
Why is DORA Necessary?
The EU financial sector's growing reliance on technology and tech companies to deliver services makes it increasingly vulnerable to cyber-attacks and incidents. If not properly managed, information and communication technology (ICT) risks can cause disruptions to financial services, particularly across borders. Below are some best practices to comply with DORA regulations:
- Developing a risk management strategy, including mapping all critical ICT dependencies and identification of potential risks
- Establishing incident response procedures, including steps for detecting, reporting, and mitigating ICT incidents
- Conducting regular resilience testing to evaluate systems' capacity to withstand ICT disruptions
- Strengthening third-party risk management, including conducting DD, regular performance reviews, and risk assessments.
Who Does DORA Apply To?
The DORA regulation applies to a wide range of financial institutions and service providers providing ICT services to financial entities within the EU.
Having started on January 17, 2025, DORA now applies to the following financial institutions:
Credit institutions, payment institutions, electronic money institutions, investment firms, management companies and AIF managers, account information service providers or “bank account aggregators,” crypto-asset service providers as authorized under MiCA regulation.
DORA also affects regions outside of the EU. Although the Digital Operational Resilience Act (DORA) is an EU regulation, it also applies to the U.S. market. It enforces third-party risk management by holding financial institutions accountable for their vendors' operational resilience. U.S. vendors working with EU financial institutions must comply with DORA standards, including regular audits and vulnerability assessments.
By extending compliance obligations across the supply chain, DORA creates a ripple effect that impacts global service providers. Additionally, DORA requires mandatory stress testing to evaluate readiness for cyberattacks and operational disruptions. To align with these requirements, U.S. companies should adopt vulnerability assessments, penetration testing, and scenario-based drills to showcase their resilience and adherence to DORA's standards.
DORA: The Tip of the Iceberg
DORA directly impacts non-EU companies doing business in Europe, as they must comply with its operational resilience standards to continue serving EU financial institutions. Companies should expect an increasing regulatory burden as more regions adopt comprehensive cybersecurity laws, emphasizing operational resilience and third-party risk management. U.S. and global businesses should prepare for ongoing developments in this field by investing in compliance strategies and proactive risk management to meet evolving global standards.
