The DORA Reckoning: How September's Cyberattacks Just Triggered Europe's First Cross-Border Regulatory Crisis

Why the Collins Aerospace and JLR attacks represent the first major test of Europe's new cybersecurity regulatory framework - and most UK businesses have no idea what's coming

While everyone's been focused on production shutdowns and flight delays, they've completely missed the real story. The Collins Aerospace ransomware attack and JLR cyberattack weren't just another couple of ransomware incidents. They were the first major test of the European Union's Digital Operational Resilience Act (DORA), which became applicable on January 17, 2025 - just eight months before these attacks devastated critical infrastructure.

And here's what should terrify every business leader: DORA compliance fundamentally changes how cybersecurity incidents are regulated across borders. We're not just looking at operational disruption from ransomware attacks anymore. We're looking at direct EU regulatory oversight of American companies, mandatory cyber incident reporting failures, and the first cross-border enforcement actions under a regulatory framework most businesses don't even understand exists.

The regulatory reckoning is coming, and British businesses are spectacularly unprepared.

Understanding DORA: The EU's Digital Operational Resilience Framework

The Digital Operational Resilience Act isn't just another compliance framework. It's a regulatory revolution that most cybersecurity professionals are still struggling to understand. DORA creates direct EU oversight powers over ICT third-party service providers - including non-EU companies like Collins Aerospace - that provide critical services to European financial infrastructure.

Let that sink in: A US aerospace company can now be directly regulated by European financial authorities if their services are deemed systemically important to EU financial stability.

DORA applies to over 22,000 financial firms and ICT service providers across the EU. It covers banks, insurance companies, investment firms, payment institutions, and their critical technology providers. But here's the kicker - it also applies to "ICT third-party service providers established in a third country," meaning any non-EU provider working with EU financial organizations falls within scope.

The European Supervisory Authorities (ESAs) - the EBA, EIOPA, and ESMA - now have direct powers to designate Critical ICT Third-Party Providers (CTPPs) and subject them to ongoing oversight, including the power to conduct inspections and impose penalties.

Collins Aerospace Ransomware Attack: DORA's First Cross-Border Test Case

The Collins Aerospace ransomware attack represents exactly the kind of systemic risk DORA was designed to address. Collins provides check-in and boarding systems to multiple airlines across numerous European airports, creating a single point of failure that can disrupt aviation networks across continents.

But here's what the aviation industry is missing: Major European airports have extensive payment ecosystems that directly involve DORA-covered entities:

• Payment processing systems for airline transactions

• Foreign exchange services for international travelers

• Banking and financial services within airport terminals

• Credit card processing for retail, dining, and parking

• Travel insurance providers with airport partnerships

• Corporate payment systems for airport operations

When Collins' MUSE software was compromised, it didn't just affect flight check-ins. It potentially disrupted financial services operations across multiple airports, triggering mandatory DORA incident reporting requirements for any affected EU financial entities.

Under DORA Article 19, financial entities must report major ICT-related incidents to competent authorities within specific timeframes. Any EU banks, payment processors, or financial institutions affected by the Collins outage were legally required to notify regulators - and failure to do so carries penalties.

The Cross-Border Enforcement Reality

Collins Aerospace is about to discover what it means to operate critical infrastructure under EU financial services regulation. The ESAs are scheduled to designate CTPPs by July 2025, and Collins' systemic importance to European aviation infrastructure makes them a prime candidate for critical designation.

Once designated as a CTPP, Collins would become subject to:

• Direct EU regulatory oversight regardless of their US headquarters

• Mandatory incident reporting for any disruptions affecting EU financial services

• Business continuity planning requirements that meet EU standards

• Regular resilience testing as specified by European authorities

• Contractual obligations with specific terms required for EU financial entity clients

This isn't theoretical regulatory expansion. This is direct EU authority over a US company's operations, backed by enforcement powers that can include substantial fines and operational restrictions.

JLR Cyberattack: Supply Chain DORA Compliance Failures

While JLR is primarily automotive, the company's extended shutdown creates potential DORA implications through supply chain financial disruption. JLR directly employs 33,000 people in the UK and supports 104,000 supply chain jobs - an economic disruption of this magnitude inevitably affects financial services.

Potential DORA triggers from the JLR incident include:

• JLR Financial Services operations that fall directly under DORA scope

• Payment processing disruptions affecting retail and dealer operations

• Supply chain financing failures impacting banks and credit providers

• Insurance claims processing for business interruption coverage

• Trade finance disruptions affecting international suppliers

More concerning is the systemic risk principle underlying DORA. When a major manufacturer shuts down for weeks, it creates cascading financial services impacts that regulators are now required to monitor and address under the new framework.

The Implementation Disaster Nobody Saw Coming

Eight months after DORA became applicable, September's cyberattacks exposed how unprepared both industry and regulators are for cross-border incident management under the new framework.

The regulatory coordination failures are embarrassing:

• No clear public disclosure of whether affected financial entities properly reported incidents under DORA requirements

• Inconsistent communication between national authorities and EU-level supervisors

• Limited transparency about which ICT providers are being assessed for critical designation

• Unclear enforcement actions despite obvious systematic failures

The European Supervisory Authorities spent years developing DORA's technical standards, but the September attacks revealed they're not ready for real-world implementation. When critical infrastructure fails, regulatory frameworks need to work immediately - not after months of post-incident analysis.

The Coming Regulatory Storm

What happened in September is just the beginning. The ESAs are advancing toward their July 2025 deadline for designating Critical ICT Third-Party Providers, and recent events have accelerated their focus on aviation, logistics, and cross-border infrastructure dependencies.

Companies should expect:

Expanded Critical Designations: The systemic impact of Collins' failure will influence how the ESAs assess other providers. Any technology company supporting European financial infrastructure should expect enhanced scrutiny.

Cross-Border Enforcement Actions: DORA's first major penalties are coming, and they'll target both EU financial entities that failed to comply with reporting requirements and non-EU providers that lack adequate resilience controls.

Contractual Overhauls: Financial entities are rushing to review their ICT provider contracts to ensure DORA compliance. Providers that can't meet the new requirements will lose EU business.

Supply Chain Mapping: The JLR incident demonstrates how operational disruptions cascade through financial services. Expect expanded due diligence requirements for supply chain dependencies.

The Business Reality Check

For UK businesses, DORA represents a fundamental shift in how cybersecurity incidents are regulated and prosecuted. This isn't just about protecting your own systems anymore - it's about understanding how your dependencies on third-party providers create regulatory exposures under foreign frameworks.

Critical questions every business leader should be asking:

• Which of your ICT providers serve EU financial entities and could be designated as critical under DORA?

• How would their failure affect your operations and what regulatory reporting obligations might that trigger?

• Are your incident response plans aligned with DORA's notification requirements if you have EU financial services exposure?

• Do your contracts with critical providers include the mandatory terms required under DORA?

The Microsoft Factor

Here's the elephant in the room: Microsoft has explicitly stated it's "prepared to be designated as a critical ICT third-party service provider" under DORA. If you're running business operations on Microsoft 365, Azure, or other Microsoft cloud services that support financial functions, you're now indirectly subject to EU financial services regulation.

This affects far more businesses than most realize. Any UK company using Microsoft cloud services for financial functions - accounting, payments, customer management, supply chain finance - could find themselves caught up in DORA compliance requirements if Microsoft fails to meet EU resilience standards.

The same applies to other major cloud providers, SaaS platforms, and ICT services that support financial operations. DORA creates a web of regulatory dependencies that most businesses haven't mapped and don't understand.

Government Response: Too Little, Too Late, Too Naive

The UK government's response to September's cyberattacks completely ignored the DORA implications. Ministers focused on supporting JLR's restart and coordinating aviation recovery, but showed no understanding of the regulatory transformation occurring across the channel.

This represents a strategic failure at the highest levels. While UK businesses face expanding EU regulatory oversight through their technology dependencies, government policy makers are still treating cybersecurity as a domestic IT support issue.

The EU is systematically expanding its regulatory reach over global technology infrastructure through frameworks like DORA. UK businesses need government leadership that understands how this affects competitive positioning, but instead we get reactive crisis management and platitudes about "working with partners."

What This Means for Your Business

DORA isn't someone else's problem. If your business depends on technology providers that serve European markets, you're already indirectly subject to EU financial services regulation whether you realize it or not.

The practical implications are immediate:

Vendor Risk Assessment: Every critical technology provider needs evaluation for potential DORA designation. Their failure could trigger regulatory obligations you're not prepared for.

Contract Reviews: If you have any EU financial services exposure, your technology contracts may need DORA-compliant terms to avoid regulatory violations.

Incident Response Updates: Your breach notification procedures may need updating to account for DORA requirements if EU financial entities are affected.

Business Continuity Planning: Supply chain disruptions now carry regulatory as well as operational risks if they affect financial services operations.

The Coming Enforcement Wave

The Collins Aerospace incident will be studied extensively by the ESAs as they finalize their critical provider designation criteria. Any US or UK technology company providing infrastructure services to European financial institutions should expect enhanced regulatory scrutiny over the coming months.

DORA's enforcement mechanisms are designed to be immediate and severe. Unlike traditional financial services regulation that focuses on capital adequacy, DORA targets operational resilience with direct oversight powers and penalty mechanisms.

The September cyberattacks provided the regulatory ammunition for the EU to demonstrate DORA's reach. Don't expect future incidents involving critical providers to receive the same regulatory patience we've seen so far.

Conclusion: The Regulatory Reality Nobody Prepared For

The Collins Aerospace and JLR attacks weren't just cybersecurity incidents. They were the opening shots in a new era of cross-border regulatory enforcement that most businesses don't understand and aren't prepared for.

DORA represents the EU's most aggressive expansion of financial services regulation into technology infrastructure. While UK businesses were focused on domestic cybersecurity compliance, the EU quietly built a regulatory framework that can directly oversee their critical technology providers.

The choice for UK businesses is simple: understand how DORA affects your technology dependencies and prepare for expanded EU regulatory oversight, or continue operating under the illusion that cybersecurity is just an IT problem.

Based on the regulatory response to September's attacks, most businesses will choose the latter option. They'll discover their mistake when their critical technology providers start facing direct EU enforcement actions and regulatory requirements that cascade through their entire supply chain.

The DORA reckoning is coming. The only question is whether UK businesses will prepare for it or become its first casualties.