You won’t hear from an EU regulator — you’ll get a redlined contract from a European customer. How DORA reaches US providers, and what it asks for on a recurring basis.
DORA — the EU's Digital Operational Resilience Act — has applied since January 17, 2025, and it reaches US firms three ways: through your EU subsidiaries (direct scope), through your contracts (EU financial entities must impose extensive requirements on their ICT providers — wherever those providers sit), and through designation (the ESAs named the first 19 Critical ICT Third-Party Providers in November 2025, including AWS, Microsoft, Google Cloud, and Oracle, putting them under direct EU oversight). If you sell technology or services to European financial institutions, DORA is most likely already in your contracts — whether or not anyone briefed you.
US firms tend to meet DORA the same way they met GDPR: not through a regulator, but through a redlined contract from a European customer. The mechanism is Article 30, which requires EU financial entities to bind their ICT service providers — software vendors, cloud services, data providers, managed services — to specific contractual provisions. The regulation's reach is the customer's pen.
| Where it comes from | What you're asked for |
|---|---|
| Article 30 contract terms | Security obligations, audit and access rights, incident notification to the customer, support for their resilience testing, termination/exit cooperation, subcontractor transparency |
| Register of Information | Detailed entity and service metadata your EU customers must file annually — the requirement EU firms report as DORA's hardest, which means recurring data requests to you |
| Concentration-risk reviews | Evidence supporting the customer's analysis of how dependent they are on you — and what happens if you fail |
| Due diligence refresh | Deeper, recurring security assessments — the questionnaire wave, with regulatory force behind it |
The good news: DORA's substance overlaps heavily with frameworks you may already hold. An ISO 27001 ISMS, SOC 2 controls, and NIST CSF alignment cover much of the ICT-risk-management pillar's ground (the SOC 2 / ISO decision looks different when EU financial customers are in the pipeline — ISO's stock rises). The work is mapping: knowing which of your existing controls and evidence satisfy which contractual DORA obligations, and being able to produce that mapping every time a customer's compliance team asks — which, with annual Register cycles and recurring reviews, is not a one-time event. In PRISM, DORA-derived requirements sit alongside the other frameworks your evidence already maps to; a customer's Article 30 addendum can be loaded as a custom framework and answered from the same approved evidence pool, the same way a security questionnaire is.
CTPP oversight is young — the first designations landed in late 2025, annual Register cycles are still maturing, and member-state guidance (like BaFin's 2026 note on AI systems in ICT risk frameworks) keeps adding texture. For US providers the trajectory is one-directional: EU financial customers will ask for more structure, more evidence, and more recurring proof. Building the mapping now is cheaper than rebuilding the relationship later.
Load a customer’s DORA addendum as a custom framework and map your existing evidence against it—alongside ISO 27001, SOC 2, and the 32 other frameworks PRISM maintains.