You are outside the EU, so DORA feels like someone else's regulation. Increasingly, it is not — and the first time many firms find out is during an EU client's due-diligence questionnaire. Here is exactly how DORA reaches you, what your EU partners will require, and how to get ready.
DORA is an EU regulation, but it does not stop at the EU border. A non-EU financial firm is pulled in through one of four routes:
Any entity authorised in an EU member state is in scope for its EU activities — the classic post-Brexit UK setup, and any US/African/GCC group with an EU foothold.
As the non-EU parent of an EU financial entity you can't run one "group" programme and call it done — each EU entity must comply on its own, but you set the oversight.
DORA flows down through your contracts (Articles 28-30), and the largest providers can be designated for direct EU oversight (CTPP).
Your EU clients are legally required to push DORA clauses onto you at renewal — accept them, or lose the account.
Not sure which applies to you? Our free DORA exposure check for non-EU groups gives you an answer in five questions — or read the full breakdown in Is your non-EU firm exposed to DORA?
If you provide ICT services to EU financial entities, DORA obliges them to impose specific terms on you (Articles 28-30). Expect a due-diligence questionnaire covering:
Full service description, service levels, and the locations where services run and data is stored (Art. 30(2)).
Unrestricted audit, access and inspection rights for the client and its supervisor (Art. 30(3)).
Incident notification SLAs and support for the client's 4h / 72h / 1-month reporting (Art. 19, 30).
Documented exit strategy, data portability, and disclosure/controls on sub-outsourcing chains.
The fastest way to get ahead of this is to fill in the questionnaire before a client sends it. Grab the editable Excel below, or read the full supplier guide to Articles 28-30.
African banks, payment institutions and fintechs are pulled in via EU correspondent and remittance relationships, EU subsidiaries, and as ICT/data providers to EU financial entities. Serving EU clients or running an EU-authorised entity puts DORA on your desk.
Check your exposure →US and post-Brexit UK banks and funds with an EU branch or subsidiary are in scope for their EU operations. US/UK ICT and SaaS providers to EU finance face Article 28-30 flow-down and possible CTPP designation.
Read the full guide →GCC banks, investment firms and payment providers with EU branches or EU-facing services — and GCC technology providers serving EU financial entities — are exposed through the same routes, direct and contractual.
Detailed scope check →Practitioner templates and tools — the questionnaire and roadmap are free editable Excel files (work email required).
The exact questionnaire your EU clients will send you, mapped to Articles 28-30. Fill it in first and turn the contract review into a formality.
Get the questionnaireA phased implementation roadmap across the five pillars, with month windows, deliverables, owners and status tracking.
Get the roadmapFive questions to see whether DORA reaches your group and through which route. No signup.
Run the checkGet your team fluent, including the third-country dimension. Self-paced, verifiable certificate.
Start freeA focused, expert review of your DORA readiness and your exposure to EU-partner requirements, with a prioritised remediation backlog and an 18-24 month roadmap — delivered in 10 business days. Ideal for non-EU groups standing up an EU entity or answering EU client due diligence.
Kick-off call, document review, gap analysis across the five pillars + Art. 28-30, written report (PDF + Word), roadmap, and two follow-up calls.
Book the Flash AuditA 30-minute expert call + written score and top-5 actions in 48 hours. Fully credited against any larger engagement.
See advisory optionsConsulting delivers momentum. Resiplan keeps it running. Many clients combine both.
Expert-led engagements: gap analysis, implementation, TLPT preparation.
Continuous DORA/GRC automation: register, incidents, vendor risk, dashboards.
Consulting to kick-off + Resiplan to sustain. Our most popular combo.
Take our free 5-minute assessment and get an instant DORA compliance score with personalised recommendations.