Regulation (EU) 2022/2554 of the European Parliament and of the Council of December 14, 2022 on the operational digital resilience of the financial sector (hereinafter “DORA” or “the Regulation”) provides for uniform network and information system security requirements not only for the vast majority of financial sector entities, but also for third parties that provide ICT services to them.
The full list of entities covered by the DORA regulations is set forth in Article 2 of the Regulation, while the mandatory institutions identified in Article 2(1)(a)-(t) are collectively defined as “financial entities,” and according to the table below, they are:
|
letter |
FINANCIER |
IN DISCUSSION |
|
a) |
credit institutions |
Article 4(1)(1) of Regulation (EU) No. 575/2013 of the European Parliament and of the Council |
|
b) |
payment institutions and payment institutions exempted pursuant to Article 32 (1) of Directive (EU) 2015/2366 |
Article 4(4) of Directive (EU) 2015/2366 and Article 32(1) of Directive (EU) 2015/2366 |
|
c) |
providers providing access to account information service |
Article 33(1) of Directive (EU) 2015/2366, |
|
d) |
electronic money institutions and electronic money institutions benefiting from the exemption referred to in Article 9 (1) of Directive 2009/110/EC |
Article 2(1) of Directive 2009/110/EC of the European Parliament and of the Council and Article 9(1) of Directive 2009/110/EC |
|
e) |
entities engaged in investment activities |
Article 4(1)(1) of Directive 2014/65/EU |
|
f) |
Crypto-asset service providers authorized under Regulation 2023/1114 and issuers of asset-linked tokens, |
Article 3(1)(15) of Regulation (EU) 2023/1114 and Article 3(1)(10) of Regulation (EU) 2023/1114 |
|
g) |
central securities depositories |
Article 2(1)(1) of Regulation (EU) No. 909/2014 |
|
h) |
central counterparties |
Article 2(1) of Regulation (EU) No. 648/2012 |
|
i) |
trading systems |
Article 4(1)(24) of Directive 2014/65/EU |
|
j) |
trade repositories |
Article 2(2) of Regulation (EU) No. 648/2012 |
|
k) |
alternative investment fund managers |
Article 4(1)(b) of Directive 2011/61/EU |
|
l) |
management companies |
Article 2(1)(b) of Directive 2009/65/EC |
|
m) |
information sharing service providers |
regulation (EU) No. 600/2014, in accordance with Article 2 (1) (34-36) thereof |
|
n) |
insurance and reinsurance companies |
Article 13(1) of Directive 2009/138/EC and Article 13(4) of Directive 2009/138/EC |
|
o) |
insurance brokers, reinsurance brokers and supplementary insurance brokers |
Article 2(1)(3) of Directive (EU) 2016/97 of the European Parliament and of the Council, Article 2(1)(5) of Directive (EU) 2016/97 and Article 2(1)(4) of Directive (EU) 2016/97 |
|
p) |
institutions of occupational pension schemes |
Article 6(1) of Directive (EU) 2016/234 |
|
q) |
rating agencies |
Article 3(1)(b) of Regulation (EC) No. 1060/2009 |
|
r) |
administrators of key reference indicators |
Article 3(25) of Regulation (EU) 2016/1011 |
|
s) |
crowdfunding providers |
Article 2(1)(e) of Regulation (EU) 2020/1503 of the European Parliament and of the Council |
|
t) |
securitization repositories |
Article 2 point 23 of the Regulation of the European Parliament and of the Council (EU) 2017/2402 |
DORA aims to strengthen confidence in and protect the stability of the financial system within the EU, in view of which financial entities are expected to follow the same rules when combating ICT risks, each time taking into account their size and overall risk profile and nature, as well as the scale and complexity of their activities, operations and services.
Pursuant to Article 2(1)(u) of DORA, the requirements under the Ordinance also extend to third-party information and communications technology providers, including cloud service providers, who are key partners for the financial sector in digital services and infrastructure.
Importantly, excluded from the scope of this Regulation are, among others, insurance intermediaries, reinsurance intermediaries and supplementary insurance intermediaries that are micro, small or medium-sized enterprises (Article 2(3)(e) DORA). In order to apply the exemption, it is crucial to correctly determine the status of the intermediary in the context of falling into one of the aforementioned categories, and therefore Article 3 (60), (63) and (64) of DORA indicates the definitions of micro, small and medium-sized enterprises to be used in verifying possible exemption criteria.
