HomeAI → DORA cross-border financial

AI · Regulatory · Cross-border financial

DORA reaches every US, UK, UAE, and APAC firm that serves an EU financial entity.

For US, UK, UAE, APAC fintech, AI infrastructure, and financial-services companies serving EU banks, insurers, payment institutions, and investment firms, where DORA enforcement began January 2026 and extends operational-resilience requirements to ICT third-party providers regardless of provider jurisdiction.

Why this matters for cross-border

DORA is the EU's compliance answer to non-EU dependency.

The ICT third-party provisions specifically reach providers outside the EU. A US AI company serving Deutsche Bank or BNP Paribas inherits DORA obligations through the customer contract. A UAE-based AI infrastructure firm serving an EU insurer is in scope. A Singapore-based payments AI vendor serving an Irish e-money institution is in scope.

Cross-border providers commonly arrive with US-shaped or jurisdiction-shaped MSAs and SOC 2 or ISO 27001 attestations that do not by default satisfy DORA's specific operational-resilience, sub-contractor-monitoring, and concentration-risk requirements. The EU financial customer's compliance team reads the existing trust posture and flags the gap inside the renewal cycle.

The cross-border failure pattern

How EU-financial deals stall on DORA.

  • A US AI fintech wins an EU bank as a customer in late 2025. The bank's procurement renewal in 2026 surfaces DORA gaps in the US vendor's resilience testing and sub-contractor monitoring. The renewal is held.
  • A UAE-based AI infrastructure firm has SOC 2 Type II but no DORA-specific resilience-testing posture. The EU customer's compliance audit downgrades the firm to a critical-risk classification.
  • A Singapore AI vendor's commercial materials reference Asia-Pacific resilience standards. The EU customer's legal team flags the materials as insufficient for DORA-aligned vendor onboarding.
  • A UK fintech inherits DORA through its EU-financial customer base. The post-Brexit UK posture does not by default map to DORA's Article 28 third-party requirements. The commercial layer needs to be rebuilt to speak the EU register.
What GMA does about this

The commercial-layer rebuild for ICT third parties.

GMA does not provide legal compliance advice. DORA-specific compliance work is done by the client's own legal counsel and an EU-financial-services-compliance specialist. Counsel handles resilience-testing requirements, sub-contractor-monitoring legal structure, ICT third-party register filings, and Article-specific obligations.

GMA rebuilds the commercial layer that operates inside the compliance posture counsel has established:

  • EU-financial-customer-facing materials that reflect DORA-aligned operational-resilience commitments.
  • Trust architecture exposing the resilience-testing, sub-contractor-monitoring, and incident-reporting posture in commercial form.
  • MSA and DPA companion materials that align with DORA Article 28 third-party requirements. Counsel drafts the legal text; GMA frames the commercial narrative.
  • Cross-channel positioning for EU-financial-customer pursuit, member state by member state, with the right reading of each regulator's lens.
Fit criteria

Who this is for and who it is not for.

ICT, AI, or fintech firm serving EU financial entities or pursuing EU-financial pipeline. Revenue band twenty-five million to two billion dollars. DORA compliance posture work underway with legal counsel. Commitment to commercial-layer rebuild.

Out of scope. Legal DORA compliance advice stays with client's counsel and an EU-financial-services-compliance specialist. Sub-contractor-monitoring system implementation stays with client's IT and counsel. ICT third-party register submission stays with the client's regulatory team.

Three engagement shapes

What the engagement looks like.

Market Entry Sprint

Six to ten weeks. Narrowly-scoped EU-bank-customer renewal rebuild. Typical first engagement when one EU financial customer's renewal is the immediate pressure.

See the Sprint →

Cross-Border Build

Three to six months. Cross-border ICT provider entering EU-financial-customer pipeline with DORA-aligned commercial layer across resilience-testing, sub-contractor-monitoring, and incident-reporting posture.

See the Build →

Group Partnership

Monthly retainer, twelve-month minimum. ICT providers operating ongoing EU-financial-customer base across multiple member states. Pricing is confirmed in discovery, not on the public site.

See the Partnership →
Scope boundary

GMA does not provide legal compliance advice.

GMA does not provide legal compliance advice on DORA. Resilience-testing requirements, sub-contractor-monitoring legal structure, Article-specific interpretation, and ICT third-party register filings stay with the client's counsel and with an EU-financial-services-compliance specialist firm. GMA does not implement sub-contractor-monitoring systems, does not submit ICT third-party registers, and does not interpret Article 28 obligations on the client's behalf. The commercial-layer rebuild operates downstream of the compliance posture counsel has set.

Frequently asked

Frequently asked.

Yes, if your company serves EU financial entities as an ICT third-party provider. The Act reaches through the customer relationship.

They are useful inputs but not sufficient. DORA has specific resilience-testing, sub-contractor-monitoring, and incident-reporting requirements that go beyond SOC 2 and ISO 27001. Counsel determines the gap; GMA addresses the commercial layer.

DORA specifically targets EU financial entities and their ICT third parties. Non-financial cross-border companies face other EU regulations such as GDPR, the AI Act, and NIS2, but not DORA directly.

No. GMA does not provide legal compliance advice. DORA-specific compliance work is done by the client's own legal counsel and an EU-financial-services-compliance specialist.

Inquiry through the contact form and a discovery conversation. Sprint, Build, and Group Partnership are available. Pricing is confirmed in discovery, not on the public site.

Related

Related reading.

Sister topic

The EU AI Act and cross-border companies.

The horizontal EU AI regulation that reaches AI systems operating inside EU borders regardless of provider jurisdiction.

Read the page →
Sister topic

AI compliance cross-mapping.

Operating SOC 2, ISO 27001, GDPR, FedRAMP, CMMC, MDR, EU AI Act, and DORA in parallel without duplicating effort.

Read the page →
Sister topic

Data sovereignty in cross-border AI.

Where the AI runs, stores, and infers is now a market-entry decision rather than a technical one.

Read the page →

If an EU financial customer's renewal is being held on DORA gaps, describe what counsel has set and what the customer's compliance team has flagged.

Tell us which EU financial entity, which gap the audit has named, and where counsel has landed. Response within one business day.

Start the conversation
Start the conversation