Why the EU’s DORA rules matter to US, UK, and global companies

The Digital Operational Resilience Act (DORA) is a new European Union (EU) legal framework for the financial sector. It becomes enforceable from 17 January 2025 after a two-year implementation period.

The basic idea is that DORA harmonizes security and resilience practices across the EU – so the financial sector becomes stronger in the face of attacks, failures, and other risks. It’s hoped that a central, consistent, supervisory approach will be better than the patchwork of regulations operated until now by individual EU member states.

DORA: What you mustn’t miss

Although its remit appears narrow at first glance, DORA will have an influence that extends far beyond the banks and insurers of Europe’s financial sector.

Other types of businesses – and companies in the US, UK, and other countries – could find that DORA impacts them too. So it’s important for organizations to grasp the full implications.

Here are four reasons why DORA is different:

1: ‘Financial entities’ includes a wide range companies

DORA applies to banks, insurance companies and investment firms. But the scope is far broader and also includes crypto-asset service providers, trading venues, data reporting service providers, credit rating agencies, crowdfunding service providers, and many other types of finance-related organizations.

2: Organizations outside the EU will be affected

As with GDPR, the new regulations apply to organizations delivering services to customers within the EU. So DORA is still relevant – even if your finance business is based thousands of miles outside of Europe but some of your customers reside in EU states. DORA covers your relationship with them.

3: DORA includes ICT providers too

The framework’s security requirements apply to EU financial organizations – but also to their third-party ICT service providers. So even if a tech firm is based in Silicon Valley or London, they could be within the scope of DORA if they supply EU financial businesses. Examples of ICT provision could include payments, cloud services, software, or data analytics.

4. DORA’s penalties may involve criminal proceedings

The new rules will cause a sharp intake of breath among senior executives. Non-compliance could mean administrative penalties of 1% of average daily worldwide turnover.

But there’s a second reason why executives may be extremely concerned – penalties can include criminal investigations. Each EU member state will have its own DORA regulator handling enforcement. As well as asking financial companies to improve security or deal with vulnerabilities, they also have the option to bring criminal proceedings.

“DORA itself does not specify criminal penalties in relation to breaches, this will be left to each Member State to determine and enforce. It will be important for organisations and senior executives to be aware of what local laws apply, as some may incur criminal sanctions and some may not. It is also worth keeping in mind that where a Member State does introduce criminal penalties DORA requires that they ensure appropriate measures are in place to enable liaising with judicial, prosecuting, or criminal justice authorities to implement these penalties effectively.”

Rohan Massey, data, privacy & cybersecurity partner at Ropes & Gray

DORA: What is ‘operational resilience’?

The DORA framework introduces specific and prescriptive requirements for organizations. While Gartner’s high-level definition of operational resilience includes areas such as “risk appetite” and business continuity, DORA spells out what this should look like in practice. It covers areas such as:

• ICT risk management: Financial entities must be able to address ICT risk quickly, efficiently and comprehensively. This includes monitoring third-party providers. Basic and advanced testing should take place.
• ICT-related incident management: Companies must have processes to detect, manage, and report any ICT-related incidents to authorities.
• Cyber threat information sharing: Organizations need to implement mechanisms to review and take action on the information shared with them by the authorities.
• Oversight of critical third-party providers: DORA requires financial entities to manage ICT third-party risk as an integral component of their own risk framework.

This last point is especially relevant, given the boom in cloud technology and the eco-systems of tech suppliers that have mushroomed in the digital age to support critical services. DORA even requires some obligations to be inserted into new contracts – and existing ones – between financial entities and ICT providers to ensure compliance.

DORA: Critical questions to ask

With January 2025 approaching fast, it’s important to ensure that company readiness programs are on track, gaps are assessed, and shortcomings are addressed.

The role of ICT providers will be key and there’s an important question to consider: Will your ICT partners help or hinder your compliance with DORA?

For example, can they take on areas of security and responsibility for you – and demonstrate they can deliver the operational resilience you need? Better still, can they go beyond the box-ticking associated with new legislation and provide robust security that addresses risk at a more fundamental level?

In other words, are they playing catch-up or are they ahead of the game? Is operational risk an after-thought or a fundamental design feature?

After all, DORA is only the latest consignment of legal responsibilities coming down the tracks. No doubt, more rules will follow, as digital transformation extends and risks increase.

Discover more and contact us

At Eckoh, we’ve helped our clients across the world handle the intricacies GDPR, PCI DSS 4.0, HIPAA, CCPA, and other legislation. In a similar way, we’ll contribute to their compliance with DORA in the areas of secure customer engagement, payments, and the handling of personally identifiable information (PII).