Time is Running Out: US Vendors and DORA Compliance

The European Union's landmark Digital Operational Resilience Act (DORA) has now been active for over two months, its implementation date having passed on January 17, 2025, after a significant two-year preparatory period. Yet, a concerning number of organizations, even within the EU's financial sector, are reportedly still lagging in their preparedness. While DORA's primary focus is on bolstering the IT security and resilience of banks, insurance companies, and investment firms operating within the EU, its implications ripple far beyond European borders, particularly impacting US companies.

A critical, and perhaps underestimated, aspect of DORA is its extended reach to US entities providing services to EU financial firms, including those US companies supporting their own subsidiaries within the European Union. This means that American IT management and service providers are now subject to the stringent requirements of this EU regulation if they wish to continue their partnerships with European financial institutions.

According to Ian Bowell, Virtual Chief Information Security Officer at Thrive, DORA's fundamental aim is to shield financial entities from the growing threat of cyberattacks and operational disruptions, encompassing everything from denial-of-service attacks to ransomware. To achieve this, DORA mandates that EU financial firms establish proactive resilience protocols, including sophisticated risk management frameworks designed to prevent, detect, and recover from cyber incidents. Furthermore, these organizations face a strict 24-hour deadline for reporting significant disruptions stemming from data breaches or cyberattacks.

However, the true breadth of DORA's impact lies in its robust third-party risk management requirements. Similar in concept to the US Department of Defense's Cybersecurity Maturity Model Certification (CMMC) but arguably more in-depth, DORA compels European financial institutions to exercise heightened scrutiny over their third-party vendors and partners. This necessitates that US companies seeking to engage with these EU firms not only achieve DORA compliance but also be prepared for thorough audits. These audits will include the capacity to upload crucial metrics and data concerning their own third-party relationships into a designated Register of Information.

Non-compliance with DORA carries significant penalties, potentially including criminal repercussions, substantial financial fines (up to 1% of an organization's daily global revenue), legal and operational consequences, and considerable damage to brand reputation.

Achieving DORA compliance necessitates a proactive and long-term approach. Organizations may need to undertake significant upgrades to their existing IT infrastructure, policies, and protocols. As security threats are constantly evolving, compliance should not be viewed as a one-time goal but rather as an ongoing standard. Continuous improvements and rigorous testing of security frameworks are essential.

For US companies striving for DORA compliance, conducting thorough assessments of their current security and resilience standards is a crucial first step. This will help identify vulnerabilities and pave the way for targeted improvements in areas such as incident response times and risk management. Regular testing of IT environments, including penetration testing and vulnerability evaluations, is vital to uncover potential weaknesses.

Demonstrating digital operational resilience involves comprehensive testing of disaster recovery and business continuity plans, ensuring the ability to seamlessly transition to alternative processes during disruptions. Meticulous documentation of these tests, their outcomes, and incident response protocols is key to showcasing compliance.

Furthermore, US companies should implement detailed audit trails and automate logs of user activities to facilitate information sharing about emerging threats, particularly zero-day attacks. Robust monitoring systems are also critical to meet DORA's stringent 24-hour incident reporting window. Conducting attack and disruption simulations can help organizations refine their response strategies and identify preemptive measures.

Crucially, US companies providing services to EU financial firms must also address third-party risk management within their own supply chains. Engaging with subcontractors and suppliers who do not meet DORA's standards can jeopardize their own compliance status. Just as EU financial firms must vet their US service providers, those US providers must, in turn, scrutinize their own third-party entities through audits and by seeking relevant certifications. The ability to not only achieve compliance but also to demonstrably document it is paramount in building trust with EU partners.

In an era where technological advancements drive both efficiency and escalating cyber threats, adhering to regulations like DORA is not merely about compliance; it's about safeguarding data, protecting brand reputation, and ensuring long-term business sustainability in an increasingly interconnected global landscape. The time for preparation has passed – the era of DORA compliance is now firmly underway.

Looking to ensure your organisation is compliant?

Reach out today to discuss how DC Cybertech can support