DORA Scope Explained. Are You Impacted?

DORA is the broadest-scope ICT security regulation in EU history. Designed to enhance and harmonise digital resilience within the European financial market, DORA will impact thousands of EU entities.

PWC estimates that DORA will directly apply to at least 22,000 organisations. In our opinion, DORA, via its customer-focused remit, will likely apply to even more.

This blog covers who is and is not in scope of DORA based on research into the official EU legal text and various prior regulations referred to within DORA.

Organisations NOT In Scope of DORA

The quickest way to determine whether your organisation is in scope of DORA is to compare it to the kinds of organisations we have determined are not in scope of DORA.

DORA-exempt organisations include:

Non-financial entities (with the exception of ICT third-party service providers)

Companies and organisations operating outside the financial services sector, such as retail, education, healthcare (excluding their financial services units), and manufacturing, are not directly impacted by DORA.

(Some) alternative investment fund managers

Some (not all) alternative investment fund managers (AIFM), as referred to in Article 3(2) of Directive 2011/61/EU, are exempt from DORA.

Exempt AIFMs must manage or control (either directly or via a linked company under common management or significant holding):

• Portfolios of AIFs, including assets obtained through leverage, totalling no more than €100 million.
• Portfolios of AIFs whose assets are unleveraged and have no redemption rights exercisable during a period of 5 years following the date of initial investment in each AIF that do not exceed a threshold of €500 million.

Some insurance and reinsurance undertakings (i.e., those covered under Article 4 of Directive 2009/138/EC)

To be exempt from DORA, insurance and reinsurance businesses need to tick all of the following boxes:

• Not exceed €5 million in gross written premium income.
• Not exceed €25 million in total technical provisions (gross of the amounts recoverable from reinsurance contracts and special purpose vehicles).
• Not include activities covering liability, credit and suretyship insurance risks unless they constitute ancillary risks within the meaning of Article 16(1);
• Not conduct reinsurance operations exceeding €0,5 million of its gross written premium income or €2,5 million of its technical provisions gross of the amounts recoverable from reinsurance contracts and special purpose vehicles, or more than 10% of its gross written premium income or more than 10% of its technical provisions gross of the amounts recoverable from reinsurance contracts and special purpose vehicles.

Very small institutions for occupational retirement provision

Only those operating pension schemes with less than 15 members in total are exempt from DORA.

Natural or legal persons exempted under Articles 2 and 3 of Directive 2014/65/EU

This includes:

• Central banks and public bodies charged with or intervening in the management of public debt.
• Persons dealing on their own account in commodities or commodity derivatives.
• Legal professionals providing investment advice under certain conditions.
• Firms that do not hold client funds or securities, and four more categories.
• Market operators when operating a multilateral trading facility.
• Persons providing investment services exclusively for their parent companies.
• Certain local firms that do not provide services to clients outside their home member state.
• Firms dealing on their own account, provided they do not execute client orders or provide any other investment services.

Insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries qualifying as microenterprises or as small/medium-sized enterprises

As per the DORA:

Microenterprise means a financial entity other than a trading venue, a central counterparty, a trade repository, or a central securities depository that employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million.

Small enterprise means a financial entity that employs 10 or more people but fewer than 50 and has an annual turnover and/or annual balance sheet total that exceeds EUR 2 million but does not exceed EUR 10 million.

A medium-sized enterprise is a financial entity that is not a small enterprise, employs fewer than 250 persons, and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million.

Post office giro institutions

Financial establishments that offer banking services, like money transfer, through the postal network are outside the scope of DORA.

Businesses providing non-critical ICT services to the financial sector (with some exceptions)

Third-party ICT service providers that do not offer critical services to the financial sector or whose services do not fall under the criteria set for critical third-party providers are not directly impacted by DORA.

However, they may be indirectly impacted due to DORA’s requirements around FSI contracting requirements.

For example, financial entities may only contract with ICT third-party service providers that comply with appropriate information security standards.

Financial entities outside the EU that do not serve the EU financial sector

Non-EU entities that do not provide financial services to the EU market and are not critical ICT third-party service providers to EU financial entities are not impacted by DORA.

Country-specific institutions based on a list of entities from Article 2(5) in Directive 2013/36/EU (Optional by the country in question)

Member States may exclude from the scope of this Regulation entities referred to in Article 2(5), points (4) to (23), of Directive 2013/36/EU that are located within their respective territories.

The list of optionally excluded institutions per country is as follows:

• In Belgium, the Institut de Réescompte et de Garantie/Herdiscontering- en Waarborginstituut;
• In Denmark, the Eksport Kredit Fonden, the Eksport Kredit Fonden A/S, the Danmarks Skibskredit A/S and the KommuneKredit;
• In Germany, the Kreditanstalt für Wiederaufbau, undertakings which are recognised under the Wohnungsgemeinnützigkeitsgesetz as bodies of State housing policy and are not mainly engaged in banking transactions, and undertakings recognised under that law as non-profit housing undertakings;
• In Estonia, the hoiu-laenuühistud, as cooperative undertakings that are recognised under the hoiu-laenuühistu seadus;
• In Ireland, credit unions and the friendly societies;
• In Greece, the Ταμείο Παρακαταθηκών και Δανείων (Tamio Parakatathikon kai Danion);
• In Spain, the Instituto de Crédito Oficial;
• In France, the Caisse des dépôts et consignations;
• In Italy, the Cassa depositi e prestiti;
• In Latvia, the krājaizdevu sabiedrības, undertakings that are recognised under the krājaizdevu sabiedrību likums as cooperative undertakings rendering financial services solely to their members;
• In Lithuania, the kredito unijos other than the Centrinė kredito unija;
• In Hungary, the MFB Magyar Fejlesztési Bank Zártkörűen Működő Részvénytársaság and the Magyar Export-Import Bank Zártkörűen Működő Részvénytársaság;
• In the Netherlands, the Nederlandse Investeringsbank voor Ontwikkelingslanden NV, the NV Noordelijke Ontwikkelingsmaatschappij, the NV Industriebank Limburgs Instituut voor Ontwikkeling en Financiering and the Overijsselse Ontwikkelingsmaatschappij NV;
• In Austria, undertakings recognised as housing associations in the public interest and the Österreichische Kontrollbank AG;
• In Poland, the Spółdzielcze Kasy Oszczędnościowo — Kredytowe and the Bank Gospodarstwa Krajowego;
• In Portugal, the Caixas Económicas existing on 1 January 1986 with the exception of those incorporated as limited companies and of the Caixa Económica Montepio Geral;
• In Slovenia, the SID-Slovenska izvozna in razvojna banka, d.d. Ljubljana;
• In Finland, the Teollisen yhteistyön rahasto Oy/Fonden för industriellt samarbete AB, and the Finnvera Oyj/Finnvera Abp;
• In Sweden, the Svenska Skeppshypotekskassan;
• In the United Kingdom, the National Savings Bank, the Commonwealth Development Finance Company Ltd, the Agricultural Mortgage Corporation Ltd, the Scottish Agricultural Securities Corporation Ltd, the Crown Agents for overseas governments and administrations, credit unions and municipal banks.

Organisations That ARE In Scope of DORA

If you are a financial organisation trading in the EU or with EU customers and don’t match any of the business categories mentioned in the first part of this article, you are likely within DORA's scope.

If you are a financial institution that could be defined as a:

• Credit institution
• Investment firm
• Insurance or reinsurance undertaking
• Fintech company
• Payment institution
• Electronic money institution
• Central securities depository
• Crypto-asset service provider.
• Central counterparty
• Trading venue or repository
• Crowdfunding service provider
• Asset management company
• Data reporting service provider.

Or have been determined by the ESA to be a critical ICT third-party service provider (CTPP).

You ARE in scope of DORA.

DORA Scope Proportionality

DORA is broad in scope, but it is also proportional.

Proportionality will be used at all levels to assess the degree of DORA compliance a covered organisation needs to have.

Microenterprises, “very small entities” (defined as having a turnover of less than €2 million/year and less than 10 employees), and simple IT environments require different reporting levels compared to large entities with complex risk profiles.

Take these two hypothetical examples:

Large multinational bank

Wide-ranging operations across the EU, heavy reliance on complex ICT systems and critical third-party ICT services.

Likely DORA requirements:

• ICT testing frequency: Advanced threat-led penetration testing at least every three years, with an annual testing program, is required.
• Additional requirements: Comprehensive incident reporting within 24 hours for significant events and detailed third-party risk assessments for all critical ICT service providers. ICT risk management framework reviewed yearly.

Small local investment firm

Local scope with limited services, uses basic ICT infrastructure, and engages few non-critical third-party services.

Likely DORA requirements:

• ICT testing frequency: Basic cybersecurity assessments annually, with threat-led penetration testing required at least once every three years.
• Additional requirements: A periodically reviewed ICT risk management framework, proportionate incident reporting obligations, an up-to-72-hour reporting window for significant ICT-related incidents, and simplified third-party risk assessments focusing on key providers.

Certain organisations, like small institutions for occupational retirement provision, with less than 100 members, will be subject to a very light regulatory framework under the relevant sector-specific Union law.

SECFORCE Is An Expert DORA Consultancy Firm

SECFORCE has extensive experience helping financial service entities and businesses build resilience, test their systems, and navigate compliance journeys like the ones they will encounter with DORA.

If you want help with your DORA compliance efforts, contact us.