The European Union’s Digital Operational Resilience Act (DORA) officially went into effect on January 17, 2025, marking a significant step in strengthening the IT security and operational resilience of financial institutions. This regulation sets a new standard for banks, insurance companies, investment firms, and other financial entities, ensuring they can withstand and recover from severe operational disruptions.
With financial services becoming increasingly digital, DORA introduces a unified framework for managing information and communication technology (ICT) risks, with an emphasis on cloud-based services, interconnected systems, and third-party technology providers. Given the global nature of financial markets, it’s worth considering whether similar regulations could be on the horizon for U.S. financial institutions.
Key Aspects of DORA
DORA establishes five core pillars to enhance the cyber resilience of financial entities:
- ICT Risk Management: Financial institutions must implement a structured ICT risk management framework to identify, mitigate, and respond to risks.
- Third-Party Risk Management: Organizations must assess and monitor risks associated with their technology service providers, ensuring they maintain resilience across their entire supply chain.
- Digital Operational Resilience Testing: Institutions must regularly test their digital infrastructure through basic and advanced cybersecurity exercises to ensure they can withstand attacks and disruptions.
- Incident Reporting: Firms are required to report major ICT-related incidents to relevant regulators, improving transparency and response capabilities.
- Information Sharing: DORA encourages financial entities to exchange intelligence on cyber threats to enhance collective defense mechanisms.
Could the U.S. Follow Suit?
While DORA is an EU regulation, it could serve as a blueprint for future U.S. regulatory initiatives. Many of the principles in DORA align with existing guidance issued by U.S. financial regulators, such as the Federal Financial Institutions Examination Council (FFIEC) Business Continuity Handbook. However, the last update to that handbook was in 2019, before the widespread shift to remote work and the acceleration of cloud-based financial services.
With cyber threats growing in sophistication, it’s likely that U.S. regulators will modernize existing disaster recovery and business continuity requirements to reflect the current digital landscape. In particular, DORA’s emphasis on third-party risk management and digital resilience testing could serve as a model for U.S. policymakers.
What Financial Institutions Should Do Now
Even though DORA applies specifically to EU financial institutions, U.S. firms—particularly those with global operations—should take proactive steps to align with these evolving expectations. Consider the following:
- Assess Your ICT Risk Management Framework – Ensure your organization has a comprehensive approach to identifying, managing, and mitigating digital risks.
- Strengthen Vendor Risk Oversight – Review contracts and oversight mechanisms for third-party technology providers to align with best practices.
- Enhance Cyber Resilience Testing – Conduct regular scenario-based testing to identify weaknesses and improve response capabilities.
- Prepare for Future Regulatory Changes – Monitor developments in U.S. financial regulation, as policymakers may introduce similar requirements.
As the financial industry continues its digital transformation, regulations like DORA highlight the importance of resilience, transparency, and collaboration in managing cyber risks. U.S. financial institutions should take note—what is currently a European mandate may soon become a global standard.
For more information on DORA, visit the official EIOPA website here. And if you need further guidance or have any questions on this topic, we are here to help. Please do not hesitate to reach out to discuss your specific situation.
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.