Print Article

Does the EU 2025 cybersecurity [DORA] law apply to those outside the EU? If yes, what are you doing?


DORA is an EU regulation.

  • The full name of the regulation is:-
    • "Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on
      • Amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance)
    • or
  • DORA came into law on 16 January 2023 and will start to apply from 17 January 2025.
  • So, we all have two years to prepare.

The EU's Digital Operational Resilience Act  [Dora]

  • Is a wide-ranging regulation that ensures financial institutions and their service providers are mitigating the operational risks that arise from their reliance on
  • It impacts contracting, legal departments, procurement, HR (for training), governance, compliance, risk and audit functions, and more.
  • Organisations must begin their change management process to comply when the regulation comes into force.


  • Suppose your organisation is outside the EU but has offices in the EU or provides services to a financial institution that offers services in the EU.
    • In that case, it's considered in scope if
  • For example,
    • If you're US-based and provide services to a US-based bank, you may still be affected in some way if that bank operates in the EU.
  • Whether in the EU, UK, or otherwise, all organisations should assess whether they will fall within the scope of DORA and what actions they'll need to take to comply.

For those directly in scope, there is a lot to do to comply with  


What is DORA?

In short, DORA is an EU regulation that will ensure financial institutions follow strict rules to protect their operational resilience, specifically around ICT risk.

The five critical pillars of DORA are:

  • ICT risk management
  • Incident reporting
  • Operational resilience testing
  • Managing third-party risk
  • Intelligence sharing

Financial services institutions must actively manage the risks associated with their digital operations arising from their reliance on ICT, focusing on ensuring a high level of cybersecurity protection. Or suffer the consequences.

Which organisations are affected by DORA?

If you're a financial institution in the EU, DORA probably applies. There are 22,000 financial entities and ICT service providers operating in the EU that will be affected, plus many more outside.

The list is quite extensive:

  • Banks
  • Credit institutions
  • Account information service providers
  • Credit agencies
  • Pension funds
  • Investment firms
  • Crypto firms
  • Insurers
  • Intermediaries
  • Alternative investment fund managers
  • Crowdfunding providers

Crucially, ICT third-party service providers are also affected by DORA. While the details differ, if your organisation provides services to any institution in scope, you're also in scope.

In terms of organisation size, there is a principle of proportionality.

  • The bigger the risk, the greater the expectations of the regulation. This may not directly correlate with the size of an organisation, but it can be something of an indicator.
  • There are also exclusions for micro-organisations (companies with less than 50 employees), and some details may vary from country to country.

How will DORA impact cybersecurity controls?

DORA explicitly states that security and ICT tools must be continuously monitored and controlled to minimise risk.

This suggests that an institution's security posture must be actively managed and its controls continuously monitored, giving organisational and cascading views of performance against cybersecurity policies and appropriate regulation.

To illustrate, article 9.1 of DORA reads:

  • "For the purposes of adequately protecting ICT systems and with a view to organising response measures, financial entities shall continuously monitor and control the security and functioning of ICT systems and tools and shall minimise the impact of ICT risk on ICT systems through the deployment of appropriate ICT security tools, policies and procedures."
  • DORA also requires that organisations set, evolve and evidence risk-based policies to ensure continued resilience. To achieve this, they must measure KPIs across their security metrics program. Many organisations will already be doing this, but it's often a manual process.
  • Without advanced automation, it will be almost impossible to measure these and evidence them to a regulator continuously.

How will DORA affect the board?

  • One of the crucial mandates of DORA is that boards of financial services organisations will be accountable for ICT risk, by law.
  • This is a big step forward – while cybersecurity is recognised as a board-level risk, it's now codified in EU law.
  • The board must also be educated in the threats and risks of their digital estate. This means that scrutiny on CISOs and other cybersecurity leaders will likely increase, as will their influence within the boardroom.

How will DORA affect the concentration of risk?

  • DORA prohibits the concentration of risk and states that organisations shouldn't rely on a single service provider for business-critical processes.
  • This means that if you're running Azure as your cloud service provider, all your devices are Surfaces running Windows 11, and you're reliant on MS 365 E5, you're in trouble. Because if Microsoft goes down, then your organisation will follow it.
  • Under DORA, organisations will likely need to use multiple cloud service providers, a range of security vendors, etc., so that if one of them stops working, you still have others in place.



The Team

Meet the team of industry experts behind Comsure

Find out more

Latest News

Keep up to date with the very latest news from Comsure

Find out more


View our latest imagery from our news and work

Find out more


Think we can help you and your business? Chat to us today

Get In Touch

News Disclaimer

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email