Two regulatory frameworks are now asking organizations to produce a number most of them cannot calculate.
The SEC's cybersecurity disclosure rules require public companies to report material incidents within four business days and describe their risk management processes in annual filings. DORA, the EU's Digital Operational Resilience Act, requires financial institutions to conduct business impact analyses using quantitative and qualitative criteria, map dependencies on third-party ICT providers, and report aggregated annual costs and losses from major incidents.
Both frameworks ask the same underlying question: what does this cost the business, in dollars, when something goes wrong?
The answer, for most organizations, does not exist.
The SEC's 2023 cybersecurity rules added Item 1.05 to Form 8-K. Public companies must disclose any cybersecurity incident they determine to be material within four business days of that determination. Annual 10-K filings must describe the company's processes for assessing, identifying, and managing material cybersecurity risks, and management's role in that process.
The CFO signs a certification on the accuracy of these filings. That certification covers cybersecurity disclosures even if the CFO is not responsible for day-to-day security operations.
Materiality is the operative word. Determining whether an incident is material requires understanding its financial impact. Determining financial impact requires knowing what the affected systems are worth to the business — not what they cost to operate, but what revenue, compliance capability, or operational capacity depends on them.
That is a Business Impact Intelligence question. Most organizations are answering it with estimates and assumptions because the underlying data has never been produced.
DORA entered into force in January 2025 and applies to financial institutions across the EU. Article 11 mandates that financial entities conduct business impact analyses of their exposure to severe disruptions using quantitative and qualitative criteria, including scenario analysis. Entities must map dependencies on ICT third-party providers, test continuity plans against realistic scenarios, and report aggregated annual costs and losses from major ICT incidents to competent authorities.
The first Register of Information submissions were due in Q1 2026. Compliance cost estimates from Deloitte's survey indicate most institutions are spending between two and five million euros, with only half expecting full compliance by year-end 2025.
DORA explicitly requires what most organizations have only done informally: quantify the financial impact of technology disruptions in terms that regulators can evaluate. The BIA that DORA mandates is Consequence — what happens when something fails. It does not require Discovery (what is everything worth) or Modeling (what should we invest in next). But the organizations that can answer only the Consequence question will find themselves revisiting the same analysis every time the regulatory environment, the vendor landscape, or the technology portfolio changes.
The SEC and DORA assume a capability that most organizations have not built. They assume the organization knows what its critical technology dependencies are, what those dependencies are worth in financial terms, and what cascades when they change.
Business Impact Analysis covers part of this. It produces a recovery plan for disruption scenarios. It does not produce a dollar-denominated picture of what the organization depends on or a forward-looking model of what happens when the organization invests, acquires, or retires an asset.
Business Impact Intelligence covers all of it. Discovery, Consequence, and Modeling together produce the financial foundation that both regulatory frameworks are demanding.
Organizations that build this capability now will meet current regulatory requirements and be positioned for whatever comes next. Organizations that continue producing one-time BIAs in response to each new regulation will repeat the effort every cycle without accumulating the institutional knowledge that compounds over time.
Does DORA require Business Impact Intelligence specifically?
DORA requires business impact analysis with quantitative criteria. BIA is the minimum. BII extends beyond DORA's current requirements by adding Discovery and Modeling, which positions organizations to answer the next round of regulatory questions without starting over.
Do SEC rules apply to non-public companies?
The SEC cybersecurity disclosure rules apply to public companies. Private companies are not directly subject to 8-K or 10-K requirements. However, private companies that supply public companies, seek capital investment, or anticipate going public face increasing pressure to demonstrate the same level of impact quantification.
Where can I read the BII framework?
The definition and three-leg framework are at valoros.red/bii. A comparison of BII and BIA is at valoros.red/bii/bii-vs-bia.