Friday with DORA – Who is bound by the DORA Ordinance?

12 April 2024
Friday with DORA – Who is bound by the DORA Ordinance?

Regulation (EU) 2022/2554 of the European Parliament and of the Council of December 14, 2022 on the operational digital resilience of the financial sector (hereinafter “DORA” or “the Regulation”) provides for uniform network and information system security requirements not only for the vast majority of financial sector entities, but also for third parties that provide ICT services to them.

The full list of entities covered by the DORA regulations is set forth in Article 2 of the Regulation, while the mandatory institutions identified in Article 2(1)(a)-(t) are collectively defined as “financial entities,” and according to the table below, they are:





credit institutions

Article 4(1)(1) of Regulation (EU) No. 575/2013 of the European Parliament and of the Council


payment institutions and payment institutions exempted pursuant to Article 32 (1) of Directive (EU) 2015/2366

Article 4(4) of Directive (EU) 2015/2366 and Article 32(1) of Directive (EU) 2015/2366


providers providing access to account information service

Article 33(1) of Directive (EU) 2015/2366,


electronic money institutions and electronic money institutions benefiting from the exemption referred to in Article 9 (1) of Directive 2009/110/EC

Article 2(1) of Directive 2009/110/EC of the European Parliament and of the Council and Article 9(1) of Directive 2009/110/EC


entities engaged in investment activities

Article 4(1)(1) of Directive 2014/65/EU


Crypto-asset service providers authorized under Regulation 2023/1114 and issuers of asset-linked tokens,

Article 3(1)(15) of Regulation (EU) 2023/1114 and Article 3(1)(10) of Regulation (EU) 2023/1114


central securities depositories

Article 2(1)(1) of Regulation (EU) No. 909/2014


central counterparties

Article 2(1) of Regulation (EU) No. 648/2012


trading systems

Article 4(1)(24) of Directive 2014/65/EU


trade repositories

Article 2(2) of Regulation (EU) No. 648/2012


alternative investment fund managers

Article 4(1)(b) of Directive 2011/61/EU


management companies

Article 2(1)(b) of Directive 2009/65/EC


information sharing service providers

regulation (EU) No. 600/2014, in accordance with Article 2 (1) (34-36) thereof


insurance and reinsurance companies

Article 13(1) of Directive 2009/138/EC and Article 13(4) of Directive 2009/138/EC


insurance brokers, reinsurance brokers and supplementary insurance brokers

Article 2(1)(3) of Directive (EU) 2016/97 of the European Parliament and of the Council, Article 2(1)(5) of Directive (EU) 2016/97 and Article 2(1)(4) of Directive (EU) 2016/97


institutions of occupational pension schemes

Article 6(1) of Directive (EU) 2016/234


rating agencies

Article 3(1)(b) of Regulation (EC) No. 1060/2009


administrators of key reference indicators

Article 3(25) of Regulation (EU) 2016/1011


crowdfunding providers

Article 2(1)(e) of Regulation (EU) 2020/1503 of the European Parliament and of the Council


securitization repositories

Article 2 point 23 of the Regulation of the European Parliament and of the Council (EU) 2017/2402

DORA aims to strengthen confidence in and protect the stability of the financial system within the EU, in view of which financial entities are expected to follow the same rules when combating ICT risks, each time taking into account their size and overall risk profile and nature, as well as the scale and complexity of their activities, operations and services.

Pursuant to Article 2(1)(u) of DORA, the requirements under the Ordinance also extend to third-party information and communications technology providers, including cloud service providers, who are key partners for the financial sector in digital services and infrastructure.

Importantly, excluded from the scope of this Regulation are, among others, insurance intermediaries, reinsurance intermediaries and supplementary insurance intermediaries that are micro, small or medium-sized enterprises (Article 2(3)(e) DORA). In order to apply the exemption, it is crucial to correctly determine the status of the intermediary in the context of falling into one of the aforementioned categories, and therefore Article 3 (60), (63) and (64) of DORA indicates the definitions of micro, small and medium-sized enterprises to be used in verifying possible exemption criteria.


Friday with DORA – Who is bound by the DORA Ordinance?
12 April 2024

Regulation (EU) 2022/2554 of the European Parliament and of the Council of December 14, 2022…

Do you want to receive news?
Subscribe to Newsletter