Who Needs DORA Compliance? Scope and Applicability
DORA applies to 20 categories of financial entities operating within the European Union, plus the ICT third-party service providers that support them. Understanding whether your organization falls within scope is the first step toward compliance.
Unlike some regulations that use revenue thresholds or employee counts to determine applicability, DORA takes a sector-based approach. If your organization falls into one of the defined categories and operates in the EU, DORA applies regardless of size, though the principle of proportionality allows for scaled implementation based on your risk profile.
Key Takeaways
| Point | Summary |
|---|---|
| 20 categories | DORA explicitly lists 20 types of financial entities within its scope |
| No size threshold | DORA applies based on sector classification, not company size |
| Proportionality applies | Smaller entities can implement measures proportionate to their risk profile |
| ICT providers affected | Third-party service providers are indirectly subject through contractual requirements |
| Critical providers | Designated Critical ICT Third-Party Providers face direct EU oversight |
Quick Answer: DORA applies to banks, payment institutions, investment firms, insurers, crypto-asset providers, and 15 other categories of financial entities operating in the EU. While there is no minimum size threshold, smaller entities can implement proportionate measures. ICT service providers serving these entities must meet contractual requirements imposed by their clients.
Financial Entities Covered by DORA
DORA Article 2 explicitly lists the financial entities within its scope. Here is the complete list:
| Category | Examples |
|---|---|
| Credit institutions | Banks, building societies |
| Payment institutions | Licensed payment service providers |
| Account information service providers | Open banking aggregators |
| Electronic money institutions | E-money issuers |
| Investment firms | Broker-dealers, wealth managers |
| Crypto-asset service providers | Crypto exchanges, custodians, wallet providers |
| Issuers of asset-referenced tokens | Stablecoin issuers |
| Central securities depositories | Securities settlement infrastructure |
| Central counterparties | Clearing houses |
| Trading venues | Stock exchanges, MTFs, OTFs |
| Trade repositories | Derivatives trade reporting |
| Managers of alternative investment funds | Hedge fund managers, private equity managers |
| Management companies (UCITS) | Mutual fund managers |
| Data reporting service providers | ARMs, APAs, CTPs |
| Insurance undertakings | Life and non-life insurers |
| Reinsurance undertakings | Reinsurers |
| Insurance intermediaries | Insurance brokers (above threshold) |
| Institutions for occupational retirement provision | Pension funds |
| Credit rating agencies | Rating providers |
| Administrators of critical benchmarks | Benchmark administrators |
| Crowdfunding service providers | Equity and lending crowdfunding platforms |
Insurance Intermediary Threshold
Insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries are included only if they are not microenterprises. DORA Article 2(3) excludes insurance intermediaries that qualify as microenterprises (fewer than 10 employees and annual turnover or balance sheet below EUR 2 million), providing relief for smaller brokers.
The Proportionality Principle
DORA recognizes that a 10-person fintech startup should not face identical requirements to a systemically important bank. Article 4 explicitly incorporates proportionality:
"Financial entities shall implement the requirements laid down in this Regulation in accordance with the principle of proportionality, taking into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations."
In practice, this means:
| Factor | Impact on Implementation |
|---|---|
| Entity size | Smaller entities may implement simpler frameworks |
| Risk profile | Higher-risk activities warrant more robust controls |
| Complexity of services | Simple business models may justify streamlined approaches |
| Systemic importance | Systemically important institutions face enhanced requirements |
However, proportionality does not mean exemption. All in-scope entities must address each of DORA's core requirements; the depth and sophistication of implementation is what varies.
Simplified ICT Risk Management Framework
DORA provides a simplified ICT risk management framework for certain smaller entities:
- Small and non-interconnected investment firms
- Payment institutions exempted under PSD2 Article 32(1)
- E-money institutions exempted under EMD2 Article 9(1)
- Small institutions for occupational retirement provision
These entities may implement a lighter version of the ICT risk management framework, though they must still maintain proportionate measures for incident reporting and third-party risk management.
Microenterprises
Microenterprises (fewer than 10 employees and annual turnover or balance sheet below EUR 2 million) have additional flexibility:
- Simpler ICT risk management framework requirements
- May not need a dedicated ICT security officer (responsibilities can be combined)
- Proportionate testing requirements
However, microenterprises remain subject to incident reporting obligations and must manage their ICT third-party relationships appropriately.
ICT Third-Party Service Providers
While DORA does not directly regulate ICT service providers, its requirements flow through to them via the financial entities they serve.
Indirect Regulation
Financial entities must ensure their contracts with ICT providers include specific provisions required by DORA Article 30:
- Service level agreements aligned with risk appetite
- Audit and access rights for the financial entity and regulators
- Incident notification obligations
- Exit strategy provisions
- Business continuity requirements
This means that even if you are a cloud provider, software vendor, or IT outsourcer not directly regulated by DORA, your financial sector clients will require DORA-compliant contractual terms.
Critical ICT Third-Party Providers (CTPPs)
DORA establishes a designation process for ICT service providers deemed critical to the financial sector. Once designated as a CTPP, a provider faces:
| Requirement | Details |
|---|---|
| Direct oversight | Joint Examination Teams led by ESAs |
| EU subsidiary | Must establish EU presence within 12 months of designation |
| Recommendations | Must address oversight authority recommendations |
| Potential penalties | Up to 5 million for non-compliance |
The designation criteria consider the systemic character of services, the number of financial entities relying on the provider, and the potential impact of service disruption on financial stability.
Non-EU Companies
DORA's reach extends beyond EU borders in several ways:
Non-EU Financial Entities
If a non-EU financial entity operates within the EU (through branches, subsidiaries, or provision of services), it falls within DORA's scope for those EU activities. This includes:
- Third-country branches of banks operating in the EU
- Non-EU investment firms providing services to EU clients
- Non-EU crypto-asset providers serving EU customers
Non-EU ICT Providers
Non-EU technology companies serving EU financial entities will face contractual requirements from their clients. A US cloud provider, for example, may not be directly regulated by DORA, but its EU financial sector customers must ensure contracts meet DORA standards.
If designated as a Critical ICT Third-Party Provider, a non-EU company must establish an EU subsidiary within 12 months of designation.
Relationship with Other Regulations
Entities subject to DORA may also fall under other regulatory frameworks:
| Regulation | Relationship |
|---|---|
| NIS 2 | DORA is lex specialis for the financial sector; NIS 2 requirements do not apply where DORA provides equivalent or stricter rules |
| GDPR | Applies in parallel; ICT incidents involving personal data require GDPR breach notification alongside DORA reporting |
| PSD2/PSD3 | DORA supplements payment services regulation with ICT-specific requirements |
| MiFID II | Investment firms must comply with both operational resilience frameworks |
| Solvency II | Insurers face DORA ICT requirements alongside prudential obligations |
Common Questions
Does DORA apply to UK companies after Brexit?
DORA does not directly apply to UK-based companies since the UK is no longer an EU member state. However, UK companies can be affected in two ways: if they provide ICT services to EU financial entities, they will face contractual DORA requirements from those clients; and if they provide financial services to EU customers (through branches or cross-border arrangements), those EU activities fall within DORA's scope.
Does DORA apply to small fintechs?
Yes. Unlike some regulations with revenue or employee thresholds, DORA applies based on sector classification. A 5-person payment startup falls within scope just as a major bank does. However, proportionality means the startup can implement simpler frameworks appropriate to its size and risk profile.
What about crypto companies?
Crypto-asset service providers authorized under MiCA and issuers of asset-referenced tokens are explicitly included in DORA's scope. This includes crypto exchanges, custodians, and wallet providers operating in the EU.
Are insurance brokers covered?
Insurance intermediaries are included in DORA's scope, but with a carve-out for microenterprises. Larger insurance brokers must comply with DORA requirements.
Do we need to comply if we only have EU customers but are based outside the EU?
If you provide financial services to EU customers, you likely fall within scope for those activities. Additionally, if you are an ICT provider serving EU financial entities, you will face contractual requirements even without direct regulatory application.
How do we know if we will be designated as a Critical ICT Third-Party Provider?
The ESAs will designate CTPPs based on criteria including the systemic character of services, concentration risk, and potential impact on financial stability. Major cloud providers, payment processors, and core banking software vendors serving multiple financial institutions are more likely to face designation.
How Bastion Helps
Bastion helps organizations understand and navigate DORA applicability:
- Scope assessment. We determine whether and how DORA applies to your organization
- Proportionality analysis. We help identify appropriate implementation levels based on your size and risk profile
- Contractual review. For ICT providers, we assess and update customer contracts to meet DORA requirements
- Compliance roadmap. We develop a prioritized path to compliance tailored to your situation
Ready to understand your DORA obligations? Talk to our team
Sources
- DORA Article 2 - Scope - Official text defining entities in scope
- DORA Article 4 - Proportionality - Principle of proportionality provisions
- European Banking Authority - DORA Q&A - Regulatory guidance on scope questions