The Digital Operational Resilience Act (DORA) is an EU regulation, so many financial firms headquartered in the United States, the United Kingdom, Switzerland, Singapore or elsewhere assume it simply does not concern them. For a growing number of those firms, that assumption is wrong - and discovering it during a client due-diligence questionnaire or a supervisory request is an expensive way to find out.

DORA has been in force since 17 January 2025. It contains no blanket "EU-only" carve-out. Its scope follows activity carried out in the Union and the ICT supply chain of EU financial entities. This guide explains the four routes by which a non-EU financial firm becomes DORA-exposed, what that means in practice, and how to check your own position.

Four ways DORA reaches a non-EU financial firm

1. You have an EU branch or subsidiary

If your group operates a subsidiary or branch that is authorised in an EU member state - a bank, investment firm, payment or e-money institution, insurer, crypto-asset service provider or fund manager - that EU entity is directly in scope of DORA for its EU activities. The nationality of the parent is irrelevant; what matters is the EU authorisation.

This is the single most common surprise for post-Brexit UK firms: the EU branch or subsidiary you set up to keep serving EU clients after losing passporting rights is a fully in-scope DORA entity. The same applies to US, Swiss and Asian groups with an EU foothold. Our DORA for banks guide confirms the regulation reaches EU branches of third-country banks.

2. Group structures do not get a shortcut

A frequent misconception is that a non-EU parent can run one "group" DORA programme and have its EU entities inherit compliance. DORA obligations attach to the regulated entity. Each in-scope EU subsidiary must be able to demonstrate its own ICT risk-management framework, its own register of information, its own incident-reporting capability and its own testing - even when much of it is delivered centrally. Group tooling helps; group-level compliance as a substitute does not exist.

3. You provide ICT services to EU financial entities

DORA's longest reach is through the ICT supply chain. If your firm provides technology, data, cloud, analytics, trading or other ICT services to EU financial entities, DORA affects you in two ways:

  • Contractual obligations (Articles 28-30): your EU financial clients are legally required to put DORA clauses into your contract - audit and access rights, sub-outsourcing controls, incident cooperation, exit strategies and more. Our guide for ICT suppliers breaks these down.
  • Direct EU oversight (CTPP designation): the largest, most systemic providers are formally designated Critical ICT Third-Party Providers and supervised directly by the European Supervisory Authorities - regardless of where they are headquartered. See the list of designated CTPPs.

4. Contractual flow-down from your EU clients

Even if you are not designated and have no EU entity, you will still feel DORA through procurement. EU financial entities cannot sign or renew a contract with an ICT provider that will not accept the mandatory DORA clauses. In practice, non-EU vendors are now being sent DORA addenda, security questionnaires and audit-right requests as a condition of keeping the business. Firms that answer confidently win the renewal; firms that cannot, lose it.

What DORA actually requires

DORA organises operational-resilience obligations into five pillars: ICT risk management, ICT incident reporting, digital operational resilience testing (including threat-led penetration testing), ICT third-party risk management, and information sharing. For the full picture see what is DORA and the decoded RTS and ITS technical standards.

Penalties and timeline

DORA is live now - there is no remaining grace period. For financial entities, member states set administrative penalties that can reach up to 2% of total annual worldwide turnover for the most serious breaches. Designated CTPPs face EU-level periodic penalty payments of up to 1% of average daily worldwide turnover, levied daily for up to six months until they comply. Beyond fines, the commercial risk is immediate: failing a client's DORA due diligence can cost you the contract.

How to tell if you are in scope

The fastest way to an indicative answer for a group is our free DORA exposure check for non-EU groups: five questions that tell you whether you are caught and through which route. To classify a specific EU entity in detail, use the scope determination tool (Article 2). For a formal, written classification you can show a board or a supervisor, we also offer a paid Scope & Regulatory Determination memo.

What to do next

  1. Map your EU exposure: list every EU-authorised entity in the group and every EU financial client you serve.
  2. Run the scope check for each entity and for your provider role.
  3. Inventory your ICT contracts with EU financial entities and test them against the Article 30 clause requirements.
  4. Stand up the basics: ICT risk framework, register of information, incident-reporting playbook, resilience testing plan.
  5. Build internal expertise so your team can answer client and supervisor questions without scrambling.

This article is analytical guidance for compliance, legal and technology teams, not legal advice. References: DORA (Regulation (EU) 2022/2554) and its RTS/ITS. For your specific situation, confirm with qualified counsel.