Who must comply with the DORA regulation?

Since DORA is a regulation focused on financial entities, it is expected that all kinds of financial organizations need to be compliant with it.

But what is interesting is that smaller financial organizations have to comply with different parts of DORA compared to other financial entities, and even more interesting is that IT companies that provide their services to financial organizations need to be compliant as well.

There are two types of organizations that need to be compliant with DORA: financial entities, and ICT third-party service providers of any financial entities. For financial entities, different rules exist for smaller entities vs. mid-sized or large entities; for ICT service providers, different rules exist for critical vs non-critical providers.

Who must comply with the DORA regulation? - Advisera

Which financial organizations must comply with DORA?

In its Article 2, DORA specifies that it applies to almost all financial entities in all EU countries:

  • credit institutions
  • payment institutions
  • account information service providers
  • electronic money institutions
  • investment firms
  • crypto-asset service providers
  • central securities depositories
  • central counterparties
  • trading venues
  • trade repositories
  • managers of alternative investment funds
  • management companies
  • data reporting service providers
  • insurance and reinsurance undertakings
  • insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
  • institutions for occupational retirement provision
  • credit rating agencies
  • administrators of critical benchmarks
  • crowdfunding service providers
  • securitisation repositories

However, there are differences between what smaller financial organizations need to comply with when compared to other financial organizations.

Who does DORA apply to?

Smaller vs. other financial organizations in DORA

Out of the financial organizations listed above, the following sub-groups have a little bit easier job of complying with DORA:

  • small and non-interconnected investment firms
  • small payment institutions exempted by the decision of Member States according to Directive (EU) 2015/2366
  • specific credit institutions defined in Directive 2013/36/EU (if Member States did not exclude them completely from DORA)
  • small electronic money institutions exempted by the decision of Member States according to Directive 2009/110/EC
  • small institutions for occupational retirement provision.

These smaller organizations must comply with the “simplified ICT risk management framework” that is specified in DORA’s Article 16 and in TITLE III of CDR 2024-1774 Technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework. In other words, these smaller financial entities do not need to comply with the whole Chapter II ICT risk management like the other financial organizations.

However, smaller financial organizations must comply with other parts of DORA in the same way as all the other organizations.

ICT third-party service providers

IT companies that provide services to financial organizations in the European Union must comply with requirements specified in Chapter V Managing of ICT third-party risk.

In particular, all IT service providers must be compliant with security standards, and follow specific contractual obligations; however, if a service provider is designated as critical, then the requirements are much stricter.

Click here to find out the details: Which IT companies need to comply with DORA, and how?

It’s time to prepare

So, no matter if you are a financial organization, or an IT company, you should prepare for DORA compliance — for that purpose, you should educate your employees. Learn more here: How to organize DORA training and awareness.

For more information about DORA, download this free white paper: Comprehensive guide to the DORA Regulation.

Advisera Dejan Kosutic

Dejan Kosutic

Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001, NIS 2, and DORA expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.
Read more articles by Dejan Kosutic