DORA Applicability: Who's In Scope and How to Scope Groups

Introduction

One of the first — and most consequential — questions any organisation must answer about the Digital Operational Resilience Act (DORA) is whether it applies to them. DORA's scope is broad by design, capturing virtually the entire EU-regulated financial services ecosystem along with the ICT service providers they depend on.

Getting the applicability assessment right is critical. Underscoping leads to regulatory exposure and potential supervisory action. Overscoping wastes resources and creates unnecessary compliance burden. This guide provides a systematic approach to determining DORA applicability, understanding the proportionality principle, and scoping compliance programmes for individual entities and financial groups.

DORA — Regulation (EU) 2022/2554 — entered into force on 16 January 2023 and became enforceable from 17 January 2025. Unlike a Directive, DORA is directly applicable across all EU Member States without national transposition, ensuring consistent application of digital operational resilience requirements across the financial sector.

The 21 Entity Categories Under DORA

Article 2(1) of DORA defines 21 categories of financial entities that fall within scope. These categories span the breadth of the European financial services landscape:

Banking and Credit

• (a) Credit institutions — Banks authorised under the Capital Requirements Directive (CRD), including all branches and subsidiaries within the EU
• (b) Payment institutions — Entities authorised under the Payment Services Directive (PSD2), including electronic money institutions and payment service providers
• (d) Electronic money institutions — Issuers of electronic money authorised under the Electronic Money Directive (EMD2)

Investment and Capital Markets

• (c) Investment firms — Firms authorised under MiFID II to provide investment services and activities
• (l) Central securities depositories — Entities authorised under CSDR to operate settlement systems and provide core custody services
• (m) Central counterparties — CCPs authorised under EMIR to interpose themselves between counterparties in derivatives and securities transactions
• (n) Trading venues — Regulated markets, multilateral trading facilities (MTFs), and organised trading facilities (OTFs) authorised under MiFID II
• (o) Trade repositories — Entities registered under EMIR or SFTR to centrally collect and maintain transaction records

Insurance and Pensions

• (f) Insurance undertakings — Life and non-life insurance companies authorised under Solvency II
• (g) Reinsurance undertakings — Entities authorised under Solvency II to accept risks transferred from insurance companies
• (h) Institutions for occupational retirement provision (IORPs) — Pension funds authorised under the IORP II Directive
• (i) Insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries — Distribution entities under the Insurance Distribution Directive (IDD)

Asset Management

• (j) Management companies — UCITS management companies authorised under the UCITS Directive
• (k) Alternative investment fund managers (AIFMs) — Managers authorised under the AIFMD to manage alternative investment funds

Crypto and Crowdfunding

• (e) Crypto-asset service providers — Entities authorised under MiCA to provide crypto-asset services
• (p) Crowdfunding service providers — Platforms authorised under the European Crowdfunding Service Provider Regulation (ECSPR)
• (q) Issuers of asset-referenced tokens — Issuers authorised under MiCA for stablecoins and asset-referenced tokens

Data and Reporting Services

• (s) Securitisation repositories — Repositories registered under the Securitisation Regulation to store securitisation data
• (t) Administrators of critical benchmarks — Administrators of benchmarks designated as critical under the Benchmarks Regulation (BMR)

Credit Services

• (r) Credit rating agencies — Agencies registered under the CRA Regulation to issue credit ratings
• (u) Data reporting service providers — Approved Publication Arrangements (APAs) and Consolidated Tape Providers (CTPs) under MiFID II

Entity Types and Requirements Comparison

Different entity categories face different levels of DORA requirements, primarily influenced by the proportionality principle and whether the entity qualifies for the simplified framework.

The Proportionality Principle

DORA's proportionality principle (Recital 21 and embedded throughout the Regulation) recognises that a one-size-fits-all approach to digital operational resilience is neither practical nor desirable. The principle allows financial entities to calibrate their compliance approach based on several factors.

Proportionality Factors

When applying proportionality, entities should consider:

• Size: Total assets, number of employees, market share, volume of transactions processed
• Overall risk profile: Nature and complexity of services, interconnectedness with the financial system, criticality of functions to the market
• Nature, scale, and complexity: Range of services offered, geographical scope, ICT infrastructure complexity, number of third-party dependencies

What Proportionality Does NOT Mean

Proportionality should not be confused with exemption. Even the smallest in-scope entity must:

• Have an ICT risk management framework (simplified for micro-enterprises under Article 16)
• Report major ICT-related incidents to their competent authority
• Manage ICT third-party risk with appropriate contractual provisions
• Conduct proportionate resilience testing
• Maintain a Register of Information on ICT third-party arrangements

Documenting Proportionality Decisions

Critically, proportionality decisions must be documented and justifiable. Competent authorities may challenge proportionality rationale during supervisory review. We recommend maintaining a proportionality assessment document that records the basis for each significant decision to apply reduced requirements.

Micro-Enterprise Exemptions and Simplified Framework

Article 16 provides a simplified ICT risk management framework for entities that qualify as micro-enterprises under the EU definition — generally entities with fewer than 10 employees and annual turnover or balance sheet total not exceeding EUR 2 million.

Simplified Framework Elements

Micro-enterprises benefit from reduced requirements in Pillar 1 (ICT Risk Management):

• Governance: The ICT risk management framework need not include a separate ICT risk management function, provided ICT risk responsibilities are clearly assigned
• Documentation: The framework may consist of simplified documentation proportionate to the entity's operations
• Asset management: The ICT asset inventory can be maintained in a simplified format
• Testing: Testing requirements are scaled to the entity's ICT risk exposure and infrastructure complexity
• BCP/DR: Business continuity and disaster recovery can be addressed through simpler arrangements

What Micro-Enterprises Must Still Do

Micro-enterprise status does not exempt entities from:

• Major ICT incident reporting (Pillar 2) — the same timelines and classification criteria apply
• ICT third-party risk management (Pillar 4) — contracts must include mandatory clauses
• Register of Information — must be maintained even in simplified form
• Proportionate resilience testing — even simplified testing must be documented

Determining Micro-Enterprise Status

The assessment must consider the entity individually, not at group level. An entity that is part of a large financial group but individually meets micro-enterprise criteria may still qualify for the simplified framework. However, competent authorities may look through to group-level resources and capabilities when assessing the appropriateness of applying the simplified framework.

Group-Level Scoping

Financial groups face unique scoping challenges when implementing DORA. The Regulation applies at the individual entity level, but group-level coordination is both permitted and expected.

Individual Entity Compliance

Each in-scope entity within a group must individually comply with DORA. This means:

• Each entity needs its own ICT risk management framework (though it can adopt the group framework)
• Each entity must independently report major ICT-related incidents
• Each entity must maintain its own resilience testing programme
• Each entity must manage its own third-party ICT relationships

Group-Level Coordination

DORA permits and encourages group-level approaches:

• Common ICT risk management framework: The parent entity can establish a group-wide ICT risk management framework that subsidiaries adopt and adapt
• Consolidated Register of Information: Article 28(3) allows the RoI to be maintained at sub-consolidated and consolidated level
• Centralised functions: Group-level ICT risk management, security operations, and incident response can serve multiple entities
• Joint testing: Group entities sharing common ICT infrastructure can coordinate testing programmes
• Pooled TLPT: Where multiple group entities use the same critical ICT systems, pooled TLPT is permitted

Group Scoping Methodology

We recommend the following approach for group-level DORA scoping:

• Step 1: Map all legal entities within the group across all jurisdictions
• Step 2: Identify which entities hold EU financial services licences falling within the 21 DORA categories
• Step 3: Assess micro-enterprise status for each entity individually
• Step 4: Map shared ICT infrastructure, services, and third-party providers across entities
• Step 5: Determine which group-level capabilities can be leveraged (e.g., SOC, incident response, third-party management)
• Step 6: Identify TLPT-obligated entities and assess pooled testing opportunities
• Step 7: Design the group DORA compliance architecture — balancing central coordination with entity-level accountability

Third-Country Entities Serving EU Clients

DORA's geographic scope is anchored to EU-authorised financial entities, but its effects extend beyond EU borders through several mechanisms.

Direct Application

DORA directly applies to financial entities authorised in the EU. Third-country entities — whether financial institutions or ICT service providers — are not directly subject to DORA unless they are designated as CTPPs under the oversight framework.

Indirect Application Through Contractual Flow-Down

The most significant impact on third-country entities comes through contractual requirements. Article 30 mandates specific clauses in all ICT service agreements. EU financial entities must ensure their contracts with third-country providers include:

• Clear service level descriptions and performance targets
• Data processing and data location provisions
• Audit and inspection rights for the financial entity and its competent authority
• Termination rights and exit provisions with transition periods
• Sub-outsourcing notification and approval requirements
• Cooperation obligations during supervisory examinations

Third-Country Branches of EU Entities

Third-country branches of EU-authorised financial entities are generally within scope of the parent entity's DORA compliance programme. The ICT systems and services supporting these branches must be covered by the entity's ICT risk management framework, incident reporting, and third-party risk management processes.

EU Branches of Third-Country Entities

EU branches of third-country financial entities may fall within DORA scope depending on the specific EU legislation under which they operate. For example, third-country credit institution branches authorised under national regimes may be subject to DORA at the discretion of the Member State competent authority.

CTPP Designation and Oversight

One of DORA's most innovative provisions is the establishment of a direct EU-level oversight framework for Critical ICT Third-Party Service Providers (CTPPs). This framework is managed by the European Supervisory Authorities (ESAs) through a Lead Overseer model.

Designation Criteria

The ESAs designate ICT third-party service providers as critical based on:

• Systemic impact: The degree to which the provider's disruption would affect financial stability, orderly market functioning, or the soundness of financial entities
• Concentration: The number and importance of financial entities relying on the provider, particularly for critical or important functions
• Substitutability: The degree to which the provider can be replaced, considering the availability of alternatives and the difficulty of migrating services
• Interconnectedness: The degree to which the provider is interconnected with other ICT service providers in the financial supply chain

CTPP Oversight Powers

Once designated, CTPPs are subject to direct oversight by the Lead Overseer, which has powers to:

• Request information and documentation
• Conduct general investigations and inspections
• Issue recommendations on ICT risk management, security, and resilience
• Require the CTPP to adopt specific measures to address identified risks
• Request reports on compliance with recommendations

Third-Country CTPPs

Third-country ICT service providers designated as CTPPs must establish a subsidiary within the EU within 12 months of designation. This ensures the Lead Overseer has a legal entity within the EU to exercise its oversight powers. Third-country CTPPs that fail to establish an EU subsidiary may face restrictions on their services to EU financial entities.

Practical Scoping Steps for Your Organisation

Whether you are a standalone financial entity, part of a group, or an ICT service provider, follow these practical steps to scope your DORA compliance programme:

Step 1: Regulatory Status Assessment

• Confirm your EU financial services authorisation and licence type
• Map your entity to the specific DORA Article 2(1) category
• Assess whether you hold multiple licences (e.g., payment institution and e-money institution)

Step 2: Proportionality Assessment

• Document your entity size (assets, employees, transaction volumes)
• Assess your overall risk profile and systemic importance
• Evaluate the nature, scale, and complexity of your services and ICT
• Determine micro-enterprise eligibility under Article 16

Step 3: Critical Function Mapping

• Identify all critical and important functions under Article 3(22)
• Map ICT systems supporting each function
• Identify third-party ICT providers for each critical function

Step 4: TLPT Obligation Assessment

• Determine whether your entity is identified for mandatory TLPT
• Engage with your competent authority on TLPT requirements
• Assess pooled testing options for shared infrastructure

Step 5: Third-Party Scoping

• Inventory all ICT third-party service providers
• Classify providers by criticality of supported functions
• Identify potential CTPPs in your supply chain
• Assess contract compliance with Article 30

Step 6: Documentation and Sign-Off

• Document the scoping assessment with all supporting rationale
• Present to the management body for review and approval
• Include the scoping document in your DORA evidence pack
• Review and update annually or when material changes occur

A well-documented scoping assessment is one of the first things a competent authority will review during supervisory engagement. Invest the time to get it right, document the rationale clearly, and keep it current.

Frequently Asked Questions

Does DORA apply to my organisation?

DORA applies to 21 categories of financial entities authorised in the EU, including credit institutions, investment firms, insurance undertakings, payment institutions, electronic money institutions, and crypto-asset service providers. It also applies to ICT third-party service providers designated as critical (CTPPs). If your organisation holds a financial services licence in any EU Member State, DORA almost certainly applies.

What is the DORA proportionality principle?

The proportionality principle means that DORA requirements are applied in a manner proportionate to the size, overall risk profile, and nature, scale, and complexity of the financial entity's services, activities, and operations. Smaller, less complex entities may implement simpler controls while still meeting regulatory expectations. Proportionality decisions must be documented and justifiable.

Are micro-enterprises exempt from DORA?

Micro-enterprises are not fully exempt from DORA. However, Article 16 provides a simplified ICT risk management framework for micro-enterprises with fewer than 10 employees and annual turnover or balance sheet total not exceeding EUR 2 million. They benefit from reduced documentation and governance requirements but must still comply with incident reporting, third-party risk management, and Register of Information obligations.

Does DORA apply to non-EU entities serving EU clients?

DORA directly applies to financial entities authorised in the EU. Third-country entities are not directly in scope unless designated as CTPPs. However, third-country ICT providers serving EU financial entities will face contractual DORA requirements passed through by their EU clients, particularly the mandatory contract clauses under Article 30, including audit rights and data location provisions.

How do I scope DORA for a financial group?

For financial groups, DORA compliance must be assessed at each in-scope entity level. However, groups can establish a common ICT risk management framework, maintain the Register of Information at consolidated level, and coordinate resilience testing. The parent entity's management body retains overall responsibility for ICT risk strategy. Each entity must still be able to demonstrate individual compliance.