Products
PostureIQRiskCommandClioComplianceGuardVigil VRMCompassVigil Platform
Solutions
For CISOs & Security LeadersFor vCISO PracticesFor Cyber Insurance BrokersFor IT & GRC ConsultanciesFor Regulated Industries
Company
PricingResourcesAboutContact
Request a DemoStart Free Trial
← Vigil Insights·Regulatory

Does DORA Apply to Your US Business? A Plain-English Breakdown

V
Vigil Research
March 1, 2026 · 6 min read

The Digital Operational Resilience Act applies to financial entities and ICT third-party service providers operating in the EU. If you have European clients or operations, you may be in scope.

The Digital Operational Resilience Act (DORA) entered into force across EU member states on January 17, 2025. If your business operates in financial services or provides ICT services to financial entities, the question of whether DORA applies to you is no longer hypothetical.

Who Does DORA Apply To?

DORA's scope is broad. It applies to:

**Financial entities** — banks, investment firms, insurance companies, payment institutions, e-money institutions, crypto-asset service providers, and more — across all 27 EU member states.

**ICT third-party service providers (TPPs)** — companies that provide ICT services (cloud, software, data analytics) to in-scope financial entities. This is where most US companies get tripped up.

The Extraterritorial Reach

DORA does not require your company to be headquartered in the EU. If you provide ICT services to an EU-regulated financial entity — a bank in Germany, an insurance company in France — **you are subject to DORA's ICT third-party risk requirements** regardless of where you are incorporated.

Examples of in-scope US companies: - A US-based SaaS platform that processes payments for a European bank - A cloud security vendor whose EU financial services clients fall under DORA - A US managed security services provider (MSSP) monitoring networks for EU insurers

What DORA Requires of TPPs

If you're an ICT third-party service provider in scope:

  1. 1**ICT Third-Party Register** — Your financial entity clients must include you in their ICT TPP register and report you to their national regulator.
  2. 2**Contractual Requirements** — Contracts with in-scope clients must include specific clauses: audit rights, business continuity provisions, exit strategies, and incident notification timelines.
  3. 3**TLPT Participation** — Systemically important TPPs may be required to participate in threat-led penetration testing (TLPT) exercises.
  4. 4**Incident Notification** — Major ICT incidents affecting in-scope clients must be reported within defined timeframes.

How Vigil Helps

Clio monitors DORA regulatory developments continuously, including EBA and ESMA technical standards. Vigil VRM maintains the ICT third-party register required by DORA Article 28 and generates the regulatory reports your financial entity clients need to submit to their supervisors.

Vigil Platform

See how Vigil automates this.

Start a free 14-day trial or book a demo to see how PostureIQ, Clio, and ComplianceGuard handle this automatically for your organization.

Start Free TrialRequest a Demo
← Back to Vigil Insights