Why is the business world in this country so darned afraid of accountability like this in the United States? Even the U.S. Government should be held to this standard like no others. Companies are more worried about that almighty dollar more than anything else. Here are the reasons the US and EU are different in accountability.
While DORA provides a unified, top-down regulation, the US approach is often a patchwork of sector-specific and state-specific regulations.
AI Overview
The US does not have a single, direct legislative equivalent to the EU’s Digital Operational Resilience Act (DORA). Instead, DORA is mirrored by a combination of regulations, including the NYDFS Cybersecurity Regulation (23 NYCRR 500), the SEC Cybersecurity Rule, the Gramm-Leach-Bliley Act (GLBA), and CISA incident reporting mandates.
Key US Functional Equivalents to DORA
While DORA is a comprehensive regulation for the EU financial sector, US entities align with these frameworks to meet similar objectives:
- NYDFS Cybersecurity Regulation: Often cited as the closest equivalent in scope, focusing on financial institution cybersecurity, risk management, and mandatory reporting of material incidents.
- SEC Cybersecurity Rule: Requires public companies (including financial entities) to disclose material cybersecurity incidents within four business days.
- Interagency Guidance on Operational Resilience (Fed, OCC, FDIC): Directs large banking organizations to manage systemic risk through operational resilience.
- Gramm-Leach-Bliley Act (GLBA): Requires financial institutions to explain their information-sharing practices and protect sensitive data.
- CISA Cyber Incident Reporting Act: Mandates reporting of major cyber incidents for critical infrastructure.
Key Similarities and Usage Examples
- Third-Party Risk Management: DORA requires strict management of ICT suppliers (similar to GLBA and Fed guidance on vendor management).
- Incident Reporting: Both DORA and US regulations (SEC/NYDFS) require prompt, detailed reporting of material incidents.
- Testing and Audits: DORA requires annual penetration testing, which aligns with threat-led penetration testing (TLPT) requirements under NYDFS and NIST frameworks.
- Applicability: DORA has extra-territorial reach, meaning U.S.-based firms providing services to EU financial entities must comply with DORA requirements, notes TechRadar.
While DORA provides a unified, top-down regulation, the US approach is often a patchwork of sector-specific and state-specific regulations.
SA