The EU regulation establishing a uniform framework for ICT risk management, incident reporting, resilience testing, and third-party ICT oversight across financial entities, applicable from January 17, 2025.
DORA.
The Digital Operational Resilience Act, Regulation (EU) 2022/2554, was adopted December 14, 2022 by the European Parliament and Council. It applies from January 17, 2025 across all EU Member States with direct effect, supplemented by Member State implementing measures where required. The regulation is one of the two main components of the EU Digital Finance Package, alongside the Markets in Crypto-Assets Regulation (MiCA). DORA harmonizes ICT risk management requirements that had previously been addressed by sector-specific guidelines from the European Supervisory Authorities (EBA, ESMA, EIOPA), the European Central Bank, and national competent authorities.
The substantive framework spans five pillars. ICT risk management (Articles 5-16) requires financial entities to maintain a comprehensive ICT risk management framework approved by the management body. ICT-related incident management and reporting (Articles 17-23) requires classification, notification, and reporting of major ICT-related incidents and significant cyber threats. Digital operational resilience testing (Articles 24-27) requires regular testing including threat-led penetration testing (TLPT) for significant financial entities. Management of ICT third-party risk (Articles 28-44) imposes pre-contractual due diligence, contractual requirements, register of information, and concentration-risk analysis. Information and intelligence sharing (Articles 45-49) establishes voluntary arrangements among financial entities.
The most operationally consequential innovation is the critical ICT third-party provider (CTPP) oversight regime in Chapter V Section II (Articles 31-44). The European Supervisory Authorities designate CTPPs based on the systemic impact of their disruption, the systemic character of the financial entities relying on them, the degree of substitutability, and the number of Member States in which they provide ICT services. Designated CTPPs are subject to direct EU-level oversight by a Lead Overseer, with information requests, on-site inspections, recommendations, and potential financial penalties of up to 1 percent of average daily worldwide turnover per day for noncompliance, accumulated up to six months.
For US cloud providers (AWS, Microsoft, Google, IBM, Oracle), US software vendors (Microsoft, Salesforce, ServiceNow, Workday, SAP NS2 for federal), US managed-service providers, and US fintech infrastructure providers serving EU financial entities, DORA reaches them through two paths. First, indirectly through the contractual flow-down: every EU financial entity using the provider must conform its contract to the DORA Article 30 requirements on subcontracting, audit rights, exit strategies, performance and reliability obligations, security and incident reporting, and termination rights. Second, directly through CTPP designation: the European Supervisory Authorities can designate a US-headquartered provider as a CTPP, subjecting it to direct EU-level oversight including on-site inspection authority at facilities outside the EU through cooperation arrangements with home-country authorities.
The presentation read for US providers selling into EU financial services has shifted. Pre-DORA, US providers negotiated EBA-guideline-aligned contracts on a case-by-case basis. Post-DORA, the contract is more uniform, the contract is more demanding, and the provider is read for CTPP risk at the firm-procurement level. US providers that have built DORA-aligned reference contracts, exit-strategy playbooks, and audit-cooperation procedures hold a procurement advantage.
DORA sits across the Operators entering the US book in reverse for US firms supplying EU financial services, on the Answers hub for transatlantic financial-infrastructure questions, and on the ISO 27001 and SOC 2 related entries. The presentation work covers how the firm names its DORA-aligned contract structure, its CTPP-readiness posture, its EU-side ICT resilience programs, and its US-EU audit cooperation framework on EU- and US-facing surfaces. The legal contract review and CTPP regulatory engagement belong with EU financial-services counsel.
Global Marketing Agency does not provide DORA contract drafting, CTPP regulatory engagement, ICT risk-management program design, or EU financial-services regulatory counsel. Those activities belong to EU financial-services counsel and the firm's compliance and procurement functions. GMA works on how the firm's DORA-readiness posture is presented, sequenced, and read on US- and EU-facing surfaces.