Operational Resilience & Legal Liability

Bridging the gap between EU regulation and fiduciary duty

Download the DORA and NIS2 US applicability guide

And how this applies to ANY US company too!

Welcome to the Legal Resilience resource center.

Welcome to the Legal Resilience resource center. This section is specifically curated for US General Counsel, Compliance Officers, and Risk Managers navigating the shifting landscape of global digital regulation.

For decades, "Cybersecurity" was treated as a technical problem to be solved by IT. Today, under regulations like the EU's DORA (Digital Operational Resilience Act) and NIS2, it has evolved into a mandatory "Standard of Care" that directly impacts Board liability and corporate governance.

In this section, we move beyond the technical jargon to discuss:

  • Jurisdiction: The extraterritorial reach of EU laws to US companies (The "Targeting Test").
  • Liability: How "Operational Resilience" is becoming the new benchmark for the Duty of Oversight (Caremark duties).
  • Defense: How technical concepts like Synthetic Monitoring serve as a legal "Defense of Diligence" in negligence claims.

Whether you are here following our discussion on the ABA SciTech Lawyer Perspective podcast or researching specific regulatory triggers, these resources are designed to help you advise your clients with clarity.

We are currently working on creating additional resources. Leave your email here, and we will keep you updated.

The ABA podcast on Beyond Cybersecurity: How DORA and NIS2 are Redefining Operational Resilience

Duration 32:29 minutes.

The ABA Science & Technology Law Section is excited to share this episode of The SciTech Lawyer Perspective—your go-to source for timely conversations at the intersection of law, science, and technology.
In this episode of The SciTech Lawyer Perspective, host Donata Stroink-Skillrud sits down with Gert Taeymans, founder of Tymans Group, for an in-depth discussion of two of the European Union’s most consequential technology regulations: DORA and NIS2.

Together, they break down what these regulatory frameworks entail, when and how they apply to U.S. companies, and why they matter beyond the EU. The conversation highlights how themes such as operational resilience, third-party risk management, and executive accountability are redefining cybersecurity and governance expectations, with implications that are increasingly global in scope.

Listen on the ABA website in a new window

Full transcript and more from the American Bar Association (ABA) with Donata and Gert

Download

The Shift from "Reasonable Security" to "Demonstrable Resilience"

The Changing Standard of Care

Under US tort law and the Caremark doctrine, corporate liability often hinges on whether a board acted with "prudence."

European regulations like DORA and NIS2 are effectively raising the global bar for what is considered "prudent."

  • Yesterday's Standard: It was prudent to prevent attacks (cybersecurity).

  • Today's Standard: It is mandatory to guarantee service continuity during an attack (Resilience).

Courts are moving away from the "did you buy a firewall?" test and toward a "did you maintain the service?" inquiry.

And there will always be failures; it's tech after all. So you need a solid defense that proves you were diligent.

The "Defense of Diligence"

How do you prove to a regulator or a court that your board wasn't negligent? You need an automated defense of diligence.

At Tymans Group, we work with you and your clients, from the board to senior management, so that the right implementations, like "Synthetic Transaction Monitoring"—the digital equivalent of a mystery shopper—are done. Testing your critical services every 5 minutes, 24/7, generates a forensic log of successful tests every week. 

We guide your clients and companies to make the right decisions and apply the appropriate standard of care for their business.

These actions convert a static paper compliance defense into an objective, data-driven defense that proves active oversight.

Essential Statutory References for US Counsel

DORA (Digital Operational Resilience Act)
  • Official text link

    Regulation (EU) 2022/2554

  • Article 5

    This provision prohibits the "Financial Entity" (EU Sub) from delegating responsibility to the "Third Party" (US Parent).

  • Article 28(8)

    The law mandates "Exit Strategies" (prenuptial agreements) in all critical vendor contracts.

  • Article 31

    It establishes direct oversight for "Critical ICT Third-Party Providers" (Cloud/Tech).

NIS2 (Network & Information Security 2) Directive
  • Official text link

    Directive (EU) NIS2

  • Article 20

    Establishes the "Duty of Care" for the Management Body (Board).

  • Article 21

    Explicitly includes "business continuity" in the legal obligation.

  • Article 32

    Grants regulators the power to suspend executives from managerial functions (the "ejection seat").

Unsure if your US Client is in Scope?

Determining jurisdiction is rarely a straightforward process. Download our cheat sheet.

DownLOAD

Book your 30 minute resilience call

How can Tymans Group help you?

TY as your advisor

This gives you our expertise on tap. Do you need part-time expertise to help you solve a problem? Call us.  Remote advisory service with results.

Focused Partnering and Implementing

Here, you receive our complete focus and we collaborate with you individually until a resolution is reached. Note that this service has a waiting period at this time.