On January 17, 2025, the Digital Operational Resilience Act (DORA) takes effect. This legislation introduces a regulatory framework from the European Union (EU) aimed at ensuring the financial sector’s resilience to downtime and threats such as cyber-attacks and IT outages. Its primary goal is to mitigate information and communication technology (ICT) risks so financial entities can reduce and recover from disruptions.

Regulators have noted resilience is only possible if every organization in the supply chain meets cybersecurity standards. ICT risks are defined as any situation involving systems in which security is undermined to impede technology-dependent tools, processes, and the delivery of services. This includes risks from third-party service providers using external ICT services, as well as parent companies headquartered outside the EU using ICT services in volume. In short, DORA has a far reach and U.S. organizations also need to take heed.