Since DORA is a regulation focused on financial entities, it is expected that all kinds of financial organizations need to be compliant with it.
But what is interesting is that smaller financial organizations have to comply with different parts of DORA compared to other financial entities, and even more interesting is that IT companies that provide their services to financial organizations need to be compliant as well.
There are two types of organizations that need to be compliant with DORA: financial entities, and ICT third-party service providers of any financial entities. For financial entities, different rules exist for smaller entities vs. mid-sized or large entities; for ICT service providers, different rules exist for critical vs non-critical providers.
Which financial organizations must comply with DORA?
In its Article 2, DORA specifies that it applies to almost all financial entities in all EU countries:
- credit institutions
- payment institutions
- account information service providers
- electronic money institutions
- investment firms
- crypto-asset service providers
- central securities depositories
- central counterparties
- trading venues
- trade repositories
- managers of alternative investment funds
- management companies
- data reporting service providers
- insurance and reinsurance undertakings
- insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
- institutions for occupational retirement provision
- credit rating agencies
- administrators of critical benchmarks
- crowdfunding service providers
- securitisation repositories
However, there are differences between what smaller financial organizations need to comply with when compared to other financial organizations.
Smaller vs. other financial organizations in DORA
Out of the financial organizations listed above, the following sub-groups have a little bit easier job of complying with DORA:
- small and non-interconnected investment firms
- small payment institutions exempted by the decision of Member States according to Directive (EU) 2015/2366
- specific credit institutions defined in Directive 2013/36/EU (if Member States did not exclude them completely from DORA)
- small electronic money institutions exempted by the decision of Member States according to Directive 2009/110/EC
- small institutions for occupational retirement provision.
These smaller organizations must comply with the “simplified ICT risk management framework” that is specified in DORA’s Article 16 and in TITLE III of CDR 2024-1774 Technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework. In other words, these smaller financial entities do not need to comply with the whole Chapter II ICT risk management like the other financial organizations.
However, smaller financial organizations must comply with other parts of DORA in the same way as all the other organizations.
ICT third-party service providers
IT companies that provide services to financial organizations in the European Union must comply with requirements specified in Chapter V Managing of ICT third-party risk.
In particular, all IT service providers must be compliant with security standards, and follow specific contractual obligations; however, if a service provider is designated as critical, then the requirements are much stricter.
Click here to find out the details: Which IT companies need to comply with DORA, and how?
It’s time to prepare
So, no matter if you are a financial organization, or an IT company, you should prepare for DORA compliance — for that purpose, you should educate your employees. Learn more here: How to organize DORA training and awareness.
For more information about DORA, download this free white paper: Comprehensive guide to the DORA Regulation.