The Digital Operational Resilience Act (DORA), which went into effect on January 17, 2025, is reshaping the regulatory landscape for financial institutions operating in the European Union. While an EU-specific regulation, its impact extends beyond Europe, particularly for firms also subject to the New York Department of Financial Services (NYDFS) cybersecurity regulations. Given the significant overlap between these frameworks, financial institutions must navigate the challenge of aligning compliance efforts across multiple jurisdictions.
For firms operating in both the U.S. and the EU, this means providing additional documentation to demonstrate compliance with both regulatory regimes. Below, we outline key areas where DORA and NYDFS intersect and diverge, highlighting their implications for financial institutions and the cyber insurance market.
-
01
Governance and oversight
DORA:
- Requires financial institutions to establish clear information and communication technology (ICT) risk management frameworks, with accountability at the board and senior management levels.
- Introduces an ICT risk management function that must be independent and report to senior leadership.
- Mandates an annual resilience strategy, including business continuity planning.
NYDFS:
- Mandates the appointment of a Chief Information Security Officer (CISO) who reports directly to the board or senior management.
- Requires the board of directors or equivalent governing body to oversee cybersecurity policies and approve risk management plans.
- Firms must conduct annual board-level cybersecurity training and oversight reviews.
Intersection:
- Both regulations emphasize board-level accountability, governance structures and the documentation of cybersecurity strategies. However, NYDFS explicitly mandates a CISO role, while DORA focuses on an independent ICT risk function.
-
02
Risk management requirements
DORA:
- Establishes specific ICT risk management policies, requiring institutions to categorize, monitor and mitigate ICT-related risks.
- Requires firms to assess third-party ICT risks continuously.
- Mandates stress testing and scenario analysis to evaluate cyber resilience.
NYDFS:
- Requires risk-based cybersecurity programs, tailored to the entity’s size, complexity and risk profile.
- Mandates a risk assessment framework that identifies internal and external risks, which must be reviewed regularly.
- Imposes strict multi-factor authentication (MFA) requirements for remote access.
Intersection:
- Both regulations require risk-based approaches, third-party risk management and continuous monitoring, but DORA formalizes stress testing and ICT-specific risk categorization in a way that NYDFS does not.
-
03
Incident reporting and response
DORA:
- Requires financial institutions to report major ICT-related incidents to the European Supervisory Authorities (ESAs) within four hours of detection.
- Demands firms provide a full impact assessment within 72 hours and a final report within a set period.
- Introduces a standardized incident taxonomy to ensure consistent reporting.
NYDFS:
- Requires firms to report cybersecurity incidents within 72 hours of determination that an event has occurred.
- Defines cybersecurity events broadly, covering data breaches, unauthorized access or any event that could materially affect operations.
- Mandates periodic incident response testing and tabletop exercises.
Intersection:
- Both require rapid incident reporting, but DORA's 4-hour requirement is significantly stricter than NYDFS’s 72-hour rule. Additionally, DORA provides a structured taxonomy, whereas NYDFS allows firms more discretion in reporting.
-
04
Third-party and supply chain risk management
DORA:
- Establishes direct regulatory oversight of critical third-party service providers (CSPs), including cloud providers.
- Requires financial institutions to continuously assess third-party ICT risks and ensure contracts include security obligations.
- Introduces a centralized EU oversight framework for third-party ICT providers.
NYDFS:
- Mandates that firms conduct periodic third-party risk assessments and implement minimum security standards in vendor contracts.
- Requires firms to assess cloud providers and external vendors but does not impose direct oversight.
- Third-party due diligence includes regular penetration testing and security assessments.
Intersection:
- Both frameworks impose strict third-party security requirements, but DORA takes it further by regulating critical ICT providers at an EU level, whereas NYDFS relies on financial institutions to oversee vendors.
-
05
Operational resilience and business continuity
DORA:
- Requires institutions to establish robust operational resilience frameworks, ensuring continued operations despite cyber threats.
- Introduces business continuity and disaster recovery (BC/DR) planning, with required testing of backup and contingency plans.
- Mandates a resilience testing program, simulating cyberattacks to evaluate preparedness.
NYDFS:
- Requires covered entities to maintain business continuity and disaster recovery (BC/DR) plans.
- Firms must conduct annual BC/DR testing and review resilience plans for effectiveness.
- Places emphasis on incident response coordination with law enforcement and regulators.
Intersection:
- Both stress resilience, BC/DR and testing, but DORA explicitly mandates resilience testing programs and regulatory oversight of ICT resilience efforts.
-
06
Penalties and enforcement
DORA:
- Imposes severe penalties for non-compliance, including administrative fines and sanctions on senior management.
- Financial institutions can be fined up to 2% of annual global turnover for ICT-related regulatory breaches.
- Non-compliant ICT third-party providers can face blacklisting by EU regulators.
NYDFS:
- Enforces penalties through civil monetary fines, revocation of licenses and legal action.
- Failure to comply with NYDFS cybersecurity rules can lead to significant regulatory actions, including multi-million-dollar fines.
- NYDFS has previously penalized firms with a $30 million fine for cybersecurity deficiencies in 2022 and a $1 million fine for improper cybersecurity practices in 2023.
Intersection:
- Both regulations impose strict penalties, but DORA’s fines are tied to global revenue, potentially leading to higher financial consequences for non-compliance.
Financial institutions are struggling to harmonize compliance efforts, creating new challenges and opportunities in the cyber insurance space. In response to this shifting regulatory environment, insurers are making adjustments to their underwriting and contemplating coverage restrictions. Large multinational financial institutions that must comply with both DORA and NYDFS, could experience lengthier underwriting cycles and increased due diligence requirements. Underwriters may scrutinize firms’ cybersecurity controls, third-party risk management programs and incident response plans more rigorously before offering coverage.
The cyber risk transfer strategies for financial institutions with global footprints could be impacted in meaningful ways. Firms with robust compliance programs may benefit from smoother renewals and more favorable terms, while those lagging behind could face longer underwriting cycles and higher premiums.
Further, WTW is monitoring whether insurers will soon require proof of DORA compliance before offering policies to financial institutions with European operations. This mirrors existing practices for NYDFS regulated entities, where insurers often demand evidence of cybersecurity preparedness before extending coverage. While this is not yet an industry-wide standard, it could become more prevalent, especially if the cyber insurance market hardens further due to increasing claims and regulatory enforcement actions.
Financial institutions that fail to meet these heightened expectations may find it more difficult to secure comprehensive cyber insurance coverage. Some insurers could impose restrictive terms or higher premiums on firms that lag in regulatory compliance, making it imperative for organizations to invest in robust resilience measures.
As insurers adjust to DORA, financial institutions may also see policy structures evolve with more exclusions or sublimits for regulatory non-compliance, making it even more critical for firms to fully understand their policy terms.
Endorsements explicitly addressing regulatory-related risks could become more common, potentially leading to gaps in coverage. DORA comes with strict requirements, and failing to meet them could lead to hefty fines and penalties.
Just as cyber insurers already exclude coverage for penalties related to GDPR violations, we may start seeing similar exclusions for DORA-related fines. If this happens, financial institutions could find themselves exposed to regulatory risks they previously assumed were covered.
To mitigate these risks, financial institutions should work closely with their brokers to review and negotiate policy terms, ensuring they have adequate protection against evolving regulatory requirements. Firms should also consider enhancing their risk management frameworks to align with both DORA and NYDFS, thereby improving their insurability.
What this means for our clients
For our clients, these regulatory shifts signal an evolving cyber insurance market that requires proactive risk management. Financial institutions with operations in both Europe and the U.S. should take immediate steps to assess their compliance posture and cyber insurance needs. To navigate this evolving landscape, financial institutions should:
Ensure that your organization meets both DORA and NYDFS cybersecurity requirements to avoid potential coverage challenges.
Work with your broker to review existing cyber insurance policies, identifying any exclusions or limitations related to regulatory fines and compliance failures.
Expect insurers to require more documentation on cybersecurity measures, third-party risk management and incident response capabilities.
Enhancing ICT resilience can reduce exposure and improve insurability.
Given the tightened reporting timelines under DORA and NYDFS, financial institutions should work closely with their insurers to clarify pre-approved incident response expenses and ensure a streamlined approval process. This prevents delays and minimizes the risk of incurring out-of-pocket costs during critical response efforts.
By taking proactive steps now, financial institutions can mitigate regulatory risks, secure more comprehensive cyber insurance coverage and position themselves for success in an increasingly complex regulatory environment.
Disclaimer
WTW hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).
