DORA: Scope and Definitions
Scope and Definitions [Art 2-3]
Rule: DORA applies to a broad range of financial entities and the ICT third-party service providers that serve them.
Financial Entities Covered [Art 2(1)]
| Category | Entities |
|---|---|
| Banking | Credit institutions |
| Payment services | Payment institutions, e-money institutions, account information service providers |
| Investment | Investment firms, trading venues, data reporting service providers |
| Insurance | Insurance and reinsurance undertakings |
| Asset management | UCITS management companies, AIFMs |
| Pensions | Institutions for occupational retirement provision |
| Infrastructure | Central securities depositories, central counterparties, trade repositories |
| Crypto | Crypto-asset service providers, issuers of asset-referenced tokens |
| Credit services | Crowdfunding service providers, credit rating agencies |
| Administrative | Administrators of critical benchmarks, securitisation repositories |
Proportionality [Art 4]
Requirements apply proportionately based on:
- Size — Larger entities face more prescriptive requirements
- Risk profile — Complexity of services and activities
- Nature — Type of financial services provided
- Scale — Volume and complexity of operations
Microenterprises Exception [Art 4(2)]
Microenterprises (fewer than 10 employees AND turnover/balance sheet under €2M):
- Simplified ICT risk management framework permitted
- Some testing requirements reduced
- But must still meet core obligations
ICT Third-Party Service Providers [Art 3(21)]
An undertaking providing ICT services.
When serving financial entities, subject to:
- Contractual requirements via financial entity contracts
- Potential designation as “critical” ICT third-party service provider
- Direct oversight if designated critical
Critical ICT Third-Party Service Providers [Art 31]
May be designated as critical based on:
- Systemic character of financial entities relying on them
- Degree of substitutability
- Number/type of financial entities relying on services
If designated: Subject to direct oversight framework by Lead Overseer.
Key Definitions [Art 3]
| Term | Definition |
|---|---|
| ICT risk | Any identifiable circumstance related to network/information systems that could compromise security of digital data or services |
| Digital operational resilience | Ability to build, assure, review resilience; provide full range of ICT capabilities; ensure continuity |
| ICT services | Digital/data services provided through ICT systems on ongoing basis |
| ICT-related incident | Single or series of linked events not planned by financial entity, compromising security of systems and adversely impacting availability, authenticity, integrity, confidentiality |
| Major ICT-related incident | ICT-related incident with high adverse impact on systems supporting critical/important functions |
| Critical or important function | Function whose discontinuity would materially impair financial performance, soundness, or continuity of services |
| ICT third-party service provider | Undertaking providing ICT services |
| Intra-group ICT services | ICT services provided by one group entity to another |
Exclusions [Art 2(3)-(4)]
Not covered:
- Certain small payment/e-money institutions (limited network, exempted under PSD2)
- Post office giro institutions
- Entities exempted under MiFID II Article 2
- Certain small AIFMs (under €100M AUM thresholds)
Overlap with Other EU Rules
| Regulation | Relationship |
|---|---|
| NIS2 | DORA is lex specialis — prevails for financial entities |
| GDPR | Applies in parallel (ICT incidents may also be personal data breaches) |
| Outsourcing guidelines | DORA replaces EBA/EIOPA/ESMA outsourcing guidelines for ICT |
| PSD2 security | DORA complements operational security requirements |
Group Application
For groups:
- Parent undertaking responsible for group-wide ICT risk management
- Subsidiaries must comply individually
- Intra-group ICT service provision has specific rules
- Consolidated oversight possible
Third-Country Entities
Financial entities established in third countries:
- DORA applies to EU activities
- ICT third-party providers serving EU entities must meet contractual requirements
- Critical third-party designation can apply to non-EU providers