Does DORA Apply to US-Based Financial Service Providers?

Does DORA Apply to US-Based Financial Service Providers A Comprehensive Guide by Secfense

With the new Digital Operational Resilience Act (DORA) rolling out in the European Union (EU), many US companies providing financial services to EU clients are asking, “Does DORA apply to US companies?” and “How can US businesses ensure compliance with DORA?” If you’re a US-based manager or service provider, it’s crucial to understand whether you’re in scope for DORA compliance and what steps you need to take to adhere to this regulation.

This comprehensive guide answers all the key questions, such as “What is DORA regulation?”, “Who needs to comply with DORA?”, and “What does DORA mean for US financial service providers?”

What Is DORA?

The Digital Operational Resilience Act (DORA) is an EU regulation designed to strengthen the cybersecurity and operational resilience of financial institutions. The regulation covers a wide range of financial entities, including banks, insurance companies, and fintech providers, and aims to ensure that these organizations can withstand cybersecurity risks and ICT (Information and Communication Technology) incidents.

DORA places specific obligations on not only financial institutions within the EU but also ICT third-party service providers that support their operations. This brings up a crucial question: Do US companies need to comply with DORA if they have EU clients?

What is DORA, the Digital Operational Resilience Act, and What are its Objectives

Does DORA Apply to US Companies?

The short answer is yes, DORA does apply to US-based companies if they provide services to EU financial entities. This includes US ICT third-party service providers, such as cloud service providers, cybersecurity firms, or any company that offers critical ICT services to EU-based financial organizations.

DORA explicitly states that it applies to “ICT third-party service providers established in a third country,” meaning any non-EU company that has contractual arrangements with an EU financial entity is in scope​. So, if you’re wondering, “Does DORA apply to US service providers?”, the answer is yes if you provide critical services to EU clients.

Important Compliance Deadline: January 17, 2025

One of the most critical dates for US-based service providers is January 17, 2025. By this deadline, all entities within the scope of DORA—including ICT third-party service providers from outside the EU—must ensure full compliance with the regulation. This includes establishing robust cybersecurity frameworks, conducting regular system testing, and adhering to strict incident reporting protocols.

For US-based providers serving EU clients, DORA compliance by January 17, 2025, is essential to continue offering services in the EU market without interruptions. If you’re a US manager wondering whether it’s possible to meet this deadline, the good news is that there are still solutions available to help you get compliant on time.

What Are the Key DORA Compliance Requirements for US Companies?

As a US-based ICT provider or financial service provider, you need to be aware of several critical aspects of DORA compliance. These requirements are essential to maintaining your relationships with EU clients and avoiding potential penalties.

1. Risk Management

DORA requires that both financial entities and their third-party ICT providers (including US companies) implement strong ICT risk management frameworks. This means US companies need to assess and mitigate any risks that could affect their clients’ operational resilience. This is crucial for organizations that offer cloud services, cybersecurity solutions, or data management tools to EU financial firms.

2. Incident Reporting

One of the major components of DORA is incident reporting. If your systems experience an ICT-related incident, such as a cyberattack, that impacts your EU clients, you are required to report the incident to the relevant EU authorities in a timely manner. US-based companies will need to have clear protocols in place to detect, manage, and report any operational disruptions.

3. System Testing and Resilience

DORA places strong emphasis on testing the resilience of ICT systems. US companies must conduct regular penetration tests and vulnerability assessments to ensure their systems meet DORA’s operational resilience standards. EU regulators may also require access to these test results, meaning that even non-EU service providers must ensure compliance with these rigorous testing requirements.

4. Contractual Obligations

DORA mandates that contracts between EU financial entities and third-party ICT providers (including those based in the US) explicitly outline the provider’s responsibilities regarding cybersecurity, risk management, and resilience. This is crucial for US companies to ensure that their contracts are compliant with DORA regulation and that their services adhere to the required standards.

Analysis of DORA in the Context of Enterprise Cyber Security in the EU

Why Should US Financial Service Providers Care About DORA?

US companies that work with EU clients must take DORA compliance seriously. Failure to comply could result in significant penalties, including restrictions on providing services to EU financial institutions. With the January 17, 2025 deadline fast approaching, US companies need to begin preparing now to ensure they meet all regulatory obligations.

Moreover, DORA compliance could become a competitive advantage. Companies that comply with DORA’s strict cybersecurity and operational resilience standards are more likely to be trusted by EU clients, which can improve your standing in the market.

How US Managers Can Ensure DORA Compliance

If you manage a US-based company providing ICT or financial services to EU clients, here’s a DORA compliance checklist to help you stay on track:

  • Evaluate Your Contracts: Ensure that all contracts with EU financial entities clearly outline your responsibilities regarding ICT risk management and incident reporting.
  • Strengthen Risk Management Protocols: Implement robust systems to assess, mitigate, and manage ICT risks.
  • Prepare for Incident Reporting: Develop a clear process for identifying and reporting ICT incidents that may impact your EU clients.
  • Regular System Testing: Conduct regular penetration tests and vulnerability assessments to ensure your ICT systems meet resilience standards.
  • Stay Informed: Keep up with any updates to DORA regulation and ensure your business practices align with the latest requirements.

By following this DORA compliance checklist, US companies can avoid penalties and continue providing services to EU financial entities without disruption.

How Secfense Can Help You Meet the January 17, 2025 Deadline

Even with the approaching deadline, US-based companies can still become DORA-compliant with the right technology solutions. Secfense provides passwordless authentication using passkeys and FIDO standards, seamlessly integrating into your existing infrastructure without the need for code changes or vendor lock-in. By strengthening your authentication processes, Secfense can help you meet DORA’s strict security and operational resilience requirements, ensuring that you’re fully compliant well before the January 17, 2025 deadline.

Consequences of Non-Compliance

Non-compliance with DORA can lead to severe penalties, including:

  • Financial sanctions
  • Restrictions on providing ICT services to EU financial entities
  • Reputational damage and loss of business with EU clients

For US companies, complying with DORA isn’t just a regulatory requirement—it’s a business imperative to maintain relationships with EU-based financial institutions.

Download-report-about-Digital-Operational-Resilience-Act-DORA-and-The-NIS2-Network-and-Information-Security-Directive

Conclusion: Does DORA Apply to US-Based Financial Service Providers?

In summary, US companies providing ICT services to EU financial entities must comply with DORA. This includes adhering to risk management, incident reporting, and system testing obligations. With the January 17, 2025 deadline fast approaching, it’s essential that US-based managers begin preparing now to ensure their organizations meet DORA’s stringent requirements.

If you’re a US-based service provider wondering, “Does DORA apply to us?”—the answer is clear: Yes, if you work with EU financial clients. Ensuring compliance not only helps you avoid penalties but also positions your company as a trusted provider in the highly regulated EU market. And with Secfense’s passwordless authentication solution, you can still become DORA-compliant in time.

Antoni takes care of all the marketing content that comes from Secfense. Read More

Featured Articles

Keep In Touch

Read More

How to implement 2FA without relying on mobile phones

Cybersecurity specialists working in enterprise environments are well aware of the importance of strong authentication methods like FIDO and passkeys. These technologies offer strong, phishing-resistant…
Avatar of Antoni Sikora Antoni Sikora

READ TIME 4 MIN

Managing Authentication in the Aviation

Why Does the Aviation Industry Face Authentication Challenges? The aviation industry comprises a complex network of airlines, airports, third-party suppliers, government agencies, and other stakeholders….
Avatar of Antoni Sikora Antoni Sikora

READ TIME 3 MIN

PSD3 Explained: Key Changes, Compliance Requirements, and How to Prepare

What is PSD3? PSD3 (Payment Services Directive 3) is the third iteration of the European Union directive regulating the payments services market. The main objective…
Avatar of Antoni Sikora Antoni Sikora

READ TIME 4 MIN

Testimonials

We are faced with new challenges every day. We must always be one step ahead of the attackers and know what they are going to do before they do it. We are convinced that the User Access Security Broker will bring security to a new level, both for those working at the office and from home. For us, working with Secfense is an opportunity to exchange experience with developers who put great value on out-of-the-box thinking.

Krzysztof Słotwiński

Business Continuity and Computer Security Officer

BNP Paribas Bank Poland

As part of the pre-implementation analysis, we verified that users utilize a wide range of client platforms: desktop computers, laptops, tablets, smartphones, and traditional mobile phones. Each of these devices differs in technological advancement, features, and level of security. Because of this, and also due to the recommendation of the Polish Financial Supervision Authority (UKNF), we decided to introduce additional protection in the form of multi-factor authentication mechanisms based on FIDO. As a result, users of our applications can log in safely, avoiding common cyber threats such as phishing, account takeover, and theft of their own and their clients’ data.

Marcin Bobruk

CEO

Sandis

We are excited to partner with Secfense to enhance our user access security for our web apps. By integrating their User Access Security Broker, we ensure seamless and secure protection for our applications and systems, delivering superior security and convenience to our customers.

Charm Abeywardana

IT & Infrastructure

Visium Networks

Before investing in Secfense, we had the opportunity to talk to its existing clients. Their reactions were unanimous: wow, it’s so easy to use. We were particularly impressed by the fact that implementing their solution does not require the involvement of IT developers. It gives Secfense a huge advantage over the competition, and at the same time opens the door to potential customers who so far were afraid of changes related to the implementation of multi-factor authentication solutions.

Mateusz Bodio

Managing Director

RKKVC

Even when the network and infrastructure are secured enough, social engineering and passwords can be used to gain control of the system by attackers. Multifactor authentication is the current trend. Secfense addresses this and allows you to build zero trust security and upgrade your current systems to passwordless applications within minutes, solving this problem right away,” said Eduard Kučera, Partner at Presto Ventures and cybersecurity expert – former Director in hugely successful Czech multinational cyber security firm Avast.

Eduard Kučera

Partner

Presto Ventures

One of the biggest challenges the world is facing today is securing our identity online. That’s why we were so keen to have Secfense in our portfolio. They make it possible to introduce strong authentication in an automated way. Until now, organizations had to selectively protect applications because the deployment of new technology was very hard, or even impossible. With Secfense, the implementation of multi-factor authentication is no longer a problem, and all organizations can use the highest standards of authentication security.

Stanislav Ivanov

Founding Partner

Tera Ventures

Two-factor authentication is known to be one of the best ways to protect against phishing; however, its implementation has always been difficult. Secfense helped us solve that problem. With their security broker, we were able to introduce various 2FA methods on our web applications at once.

Dariusz Pitala

Head of IT

MPEC S.A.