DORA: Scope and Entities
Status: Work in progress
Who falls under DORA?
Financial entities (Art. 2)
DORA applies to a wide range of financial entities:
| Category | Examples | Regulator |
|---|---|---|
| Credit institutions | Banks, savings banks | National financial authority |
| Payment institutions | Payment services, e-money | National financial authority |
| Investment firms | Securities dealers | National financial authority |
| Insurance undertakings | Life and non-life insurance | National financial authority |
| Reinsurance undertakings | Reinsurance companies | National financial authority |
| Pension funds | IORPs | National financial authority |
| Crypto-assets | CASPs (from MiCA) | National financial authority |
| ICT third parties | Critical ICT providers | ESAs |
ICT Third-Party Providers
Critical ICT providers are subject to direct oversight by the ESAs (EBA, EIOPA, ESMA):
- Cloud service providers
- Data analytics providers
- Software vendors
- Data centres
Scope Assessment
Step 1: Identify entity type
[] Are we a financial entity under Art. 2?[] Do we provide ICT services to financial entities?[] Do we hold a licence from a national financial authority?Step 2: Determine the regime
| Criterion | Standard regime | Simplified regime |
|---|---|---|
| Size | Large/medium entities | Small entities |
| Systemic significance | Significant institutions | Non-significant |
| ICT complexity | High | Low |
Step 3: Map ICT third parties
For each ICT provider:
- Identify services
- Assess criticality
- Record in the register
- Verify contractual requirements
Simplified regime (Art. 16)
Smaller financial entities may use a simplified ICT risk management framework:
Conditions:
- Not systemically significant
- Meet size criteria
- Low ICT environment complexity
Accommodations:
- Simplified documentation
- Less frequent testing
- Proportional reporting