The Digital Operational Resilience Act (DORA) has officially been in effect since 17 January 2025, following a two-year lead-up period—but many organizations are still playing catch-up. Although DORA is an EU regulation targeting the financial sector, including alts, its reach extends beyond Europe. U.S.-based companies that provide services to EU financial institutions, including subsidiaries, are also within scope and must comply accordingly.
Perhaps the most overlooked aspect of DORA is its deep emphasis on third-party risk management. DORA requires EU financial firms to ensure their service providers meet strict resilience standards. This includes the ability to produce a Register of Information that documents third-party risk metrics and data for regulatory review. U.S. vendors must be prepared to meet these requirements and face audits that demand transparency and accountability.
DORA is a powerful reminder of how interconnected global business has become. It reinforces the need for alts to stay proactive, regardless of where the regulation originates.
