When you hear “DORA,” maybe the first thing that comes to mind is a certain adventurous explorer. But in the world of finance, the EU Digital Operational Resilience Act (DORA) is here to help businesses navigate the complex terrain of digital risk.

With a deadline looming on January 17, 2025, DORA is your map for building resilience, protecting critical business functions, and steering clear of digital disruptions. Applicable to all financial entities operating in the EU and their critical Information and Communication Technology (ICT) service providers (see below for information if your U.S. company is in-scope), DORA outlines essential steps for promoting digital stability across businesses of all sizes.

But, thanks to the principle of proportionality, DORA’s framework adjusts to your companies’ scale, keeping compliance focused and achievable. DORA adapts its requirements based on the size of your business, recognizing that one size doesn’t fit all:

Microenterprises: Fewer than 10 employees and an annual turnover or balance sheet of up to €2 million.

• Small enterprises: Between 10 and 49 employees, with an annual turnover or balance sheet total between €2 million and €10 million.

• Medium enterprises: Fewer than 250 employees, with an annual turnover up to €50 million or a balance sheet total up to €43 million.

This means if you’re a smaller company, you can comply with DORA in a way that’s proportional to your resources and operational scale, allowing startups and SMEs to meet regulatory standards without excessive burdens.

Key targets for small and medium enterprises*

Meeting DORA’s standards involves focusing on four key pillars: ICT risk management, incident response, testing, and third-party risk management. Here’s a breakdown of what’s required at a high-level:

1. Build a reliable ICT risk management framework

DORA emphasizes creating a structured approach to managing ICT risk. This includes identifying critical business functions, mapping dependent systems, and putting safeguards in place to manage potential risks. For SMEs, a simple but robust framework is effective—as long as it’s documented, regularly updated, and can adapt as your business evolves. Rather than overcomplicating, prioritize practical policies and processes that can scale with you.

Note: This pillar is likely the biggest lift for your startup as a lot of security controls will need to be implemented. We recommend to bundle this with getting ISO27001 compliant as there is a lot of overlap and if you’ve been thinking about getting certified anyways, it can help to streamline your efforts significantly.

2. Create an effective incident response plan

When disruptions hit—be it a cyberattack or technical glitch—clear, actionable response plans becomes your company’s best defense. DORA mandates an incident response protocol to swiftly identify, contain, and resolve incidents, minimizing downtime and reducing potential losses. With well-organized, straightforward response plans, you’re equipped to quickly restore operations, safeguarding not only your bottom line but also the trust and confidence of your clients and partners.

3. Test your systems regularly

DORA emphasizes the importance of regular resilience testing, but the approach can be simple and proportionate to your scale. Start with foundational activities like tabletop exercises, where your team walks through hypothetical disruption scenarios to identify weak spots in your processes. Another effective option is basic vulnerability assessments or penetration tests, which can help reveal and address potential security risks without requiring extensive resources. Disaster recovery drills with a limited scope—such as testing the restoration of specific critical systems or data backups—may also be part of your foundational efforts.

These straightforward tests not only satisfy DORA’s requirements but also help you understand your preparedness to handle disruptions. Over time, your testing can expand to include more advanced methods like scenario-based simulations or supplier resilience evaluations as your organization’s needs evolve.

4. Assess and manage third-party risk

If you’re relying on third-party providers for your critical business functions, DORA calls for a comprehensive evaluation of these partners. This involves reviewing their resilience measures and structuring service-level agreements (SLAs) to address potential risks. Adopting a “trust-but-verify” approach with vendors helps protect your company from third-party vulnerabilities.

But, do U.S. companies need to worry about DORA?

DORA's applicability to U.S. companies depends on their role in the EU financial system. If your company provides critical services to EU financial institutions—such as cloud infrastructure for banks, trading platforms, or essential risk assessment tools—you'll likely need to comply. However, if your service simply allows EU users to sign up without directly supporting financial institutions' operations, you're probably outside DORA's scope.

The key questions to consider are:

• Do you have direct relationships with EU financial institutions?

• Are your services essential to their operations? Consider whether your service:

  • Supports core banking functions (payments, transfers, settlements)

  • Handles sensitive financial data processing

  • Provides critical infrastructure (cloud hosting, security systems)

  • Is integrated into their daily operations in a way that disruption would impair their ability to serve customers

• Would your service disruption directly impact EU financial stability?

If you’re unsure, feel free to contact us at Oneleet.

Ready to simplify DORA compliance? We’re here to support.

DORA compliance isn’t just about meeting regulations—it’s a strategic move to position your company for growth and secure its future.

At Oneleet, we provide tailored guidance for an effective, proportional implementation, offering:

• Save time: DORA requirements are broken down into manageable steps, customized to your company’s scale, with ready-to-use templates and streamlined processes to save you time.

• Avoid the guesswork: Our dedicated team is here to guide you every step of the way—whether asynchronously in your Oneleet Slack channel or through personalized sessions to address any questions you have.

Don’t let the complexities of DORA compliance slow down your growth. Contact us today to learn how Oneleet can help you navigate the path to compliance and build lasting resilience appropriate for your business.

*If you’re curious about the key targets for microenterprises, please feel free to contact us!