The Digital Operational Resilience Act (DORA), which went into effect on January 17, 2025, is reshaping the regulatory landscape for financial institutions operating in the European Union. While an EU-specific regulation, its impact extends beyond Europe, particularly for firms also subject to the New York Department of Financial Services (NYDFS) cybersecurity regulations. Given the significant overlap between these frameworks, financial institutions must navigate the challenge of aligning compliance efforts across multiple jurisdictions.
For firms operating in both the U.S. and the EU, this means providing additional documentation to demonstrate compliance with both regulatory regimes. Below, we outline key areas where DORA and NYDFS intersect and diverge, highlighting their implications for financial institutions and the cyber insurance market.
-
01
Governance and oversight
DORA:
- Requires financial institutions to establish clear information and communication technology (ICT) risk management frameworks, with accountability at the board and senior management levels.
- Introduces an ICT risk management function that must be…
