The Digital Operational Resilience Act (DORA) is an EU regulation many US firms may need to comply with.
After DORA comes into effect in January 2025, US financial entities that have EU customers and third-party providers will need to comply with DORA. The alternative is potentially prohibitive fines.
This means that any US-based but EU-facing hedge fund, broker (including crypto platform), bank, fintech, or any other kind of financial entity will soon have a new set of regulations to keep—though there are some exceptions.
Here’s a quick breakdown of everything US companies need to know about DORA.
What Is DORA?
The Digital Operational Resilience Act (DORA) is the widest scope of EU financial sector cyber regulation to date. Much like the General Data Protection Regulation (GDPR) previously, DORA will put new obligations on companies that want to access the EU marketplace.
In practice, DORA is a cybersecurity-focused regulation. It aims to make financial institutions (FIs) take responsibility for the business risk (to their customers and the sector as a whole) created by cybersecurity incidents.
Anyone familiar with US regulations like PCI DSS, Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley Act (SOX), and frameworks like NIST CSF 2 will recognize DORA’s requirements, which center around forcing FIs to get better at identifying and reporting security incidents and preventing them in the first place.
Summed up in a word, DORA is a “resilience” regulation.
DORA has five pillars of compliance. These are:
- Establishing robust ICT risk management frameworks.
- Managing third-party risks.
- Conducting regular digital operational resilience testing.
- Complying with strict incident reporting guidelines.
- Sharing threat intelligence with other financial entities.
These are the core themes of DORA’s requirements, though numerous exhaustive obligations exist within these themes. You can read the full list of requirements on the official DORA website.
For some larger firms, DORA’s demands may align with their current practices. The act’s operational resilience requirements are stringent, but nothing really new.
For others, especially smaller financial firms, DORA brings new challenges around risk management, threat detection and incident reporting, and testing.
A big part of DORA compliance is introducing a level of offensive security into your security program. DORA introduces a new regulatory requirement for “threat-led penetration testing.” Within its Resilience Testing pillar, DORA requires FIs to do testing every three years. However, “advanced penetration testing” is a bit of a misnomer. DORA testing requirements are more akin to the open-ended style of offensive security known as red teaming.
DORA Is Likely to Apply to a Wide Range of US Organizations
Almost every kind of financial institution is covered by DORA, including:
- Credit institution
- Investment firm
- Insurance or reinsurance undertaking
- Fintech company
- Payment institution
- Electronic money institution
- Central securities depository
- Crypto-asset service provider.
- Central counterparty
- Trading venue or repository
- Crowdfunding service provider
- Asset management company
- Data reporting service provider.
A select collection of financial institutions is exempt from DORA. You can see a list of who is exempt here.
DORA also applies to organizations that European Supervisory Authorities (ESAs) determine to be a critical ICT third-party service provider (CTPP). These organizations are not financial services organizations but provide critical services to the EU financial services industry. For example, a cloud services provider that several large banks rely on.
Deciding whether or not an organization is a CTPP is pretty complicated (and done on a case-by-case basis), but generally speaking, most big IT services providers with financial services clients, like Google Cloud (who have written about their approach to DORA recently), are likely to fall into this category.
Smaller US Firms Might Be Surprised By DORA
DORA is an extremely broad piece of legislation. Most financial services organizations will be covered regardless of turnover or business size.
However, DORA’s requirements change based on the size and risk of the company. For example, microenterprises must only review their risk management frameworks periodically (instead of yearly – as required for larger organizations).
There Could Be Steep Penalties for US Organizations
Failing to comply with DORA will cost organizations 1% of daily global turnover for up to six months. It will severely hamper a firm’s ability to access the EU market and its business reputation.
Based on what happened with the GDPR, DORA fines will likely be a) enforced heavily and b) increase with time.
DORA May Affect Existing Contracts with EU Clients
A core DORA focus area is contract management and third-party risk.
DORA will likely require US third-party providers to change parts of their contracts with any EU financial entity or other impacted businesses. For example, they might need to agree on new risk management and reporting standards.
Also, if a US business is deemed a critical third-party ICT service provider (CTTP) to EU clients, they might need to sign up for more new service level agreements (SLAs). These should include provisions for backup providers and compliance with additional regulatory standards.
What Now?
The key DORA takeaway for US businesses is to check if you are covered and take action to comply as soon as possible. DORA noncompliance fines are unlikely to be a problem for the next 12 months, but they are coming.
About the Author
Nikos Vassakis is a seasoned Cybersecurity Professional with over a decade of experience and a Master’s degree in Information Security. Starting as a penetration tester, he progressed through roles at several security consultancies, managed security services for a global financial institution, and an internal security team at a leading UK bank. These experiences have given him a deep understanding of the unique challenges faced by large-scale enterprises. His diverse background spans penetration testing, risk assessment, compliance, and strategic security planning. Currently, Nikos leads the security consulting practice at SECFORCE LTD, leveraging his extensive experience to guide organizations in strengthening their security posture across various industries and scales of operation.
Nikos can be reached at https://www.secforce.com/.
