What entities are affected by DORA? International scope and current status

DORA’s scope is broad, covering a wide range of EU financial entities and services.

What entities are affected by DORA?

DORA’s scope is broad, covering a wide range of EU financial entities and services. The primary entities affected by DORA include:Traditional Financial Institutions

Credit institutions (banks)

Payment institutions

Electronic money institutions

Investment firms

Insurance and reinsurance companies

Credit rating agencies

These traditional financial sector players are DORA’s primary targets, as they are responsible for critical financial services and hold large amounts of sensitive customer data.Emerging Financial Entities

Crypto-asset service providers (CASPs)

Crowdfunding service providers

Managers of alternative investment funds (AIFMs)

UCITS management companies

DORA also covers newer financial market participants, recognising their growing role in providing services and the need to ensure operational resilience.Critical Third-Party Service Providers

Cloud computing providers

Data centre operators

Software vendors

Data analytics firms

DORA includes critical third-party ICT service providers that support the operations of financial entities. These providers are considered systemically important and must also comply with DORA’s requirements.

DORA’s International Scope

DORA casts a wide net, covering a broad range of EU financial institutions —DORA also covers non-EU financial entities that operate within European markets. This means that even if an organisation is headquartered outside the EU but has a presence or provides services within the EU, it is still subject to DORA’s regulations. and service providers. However, its full scope extends beyond EU-based institutionsDORA’s broad reach is intentional, as it aims to improve the overall operational resilience of the entire European financial sector. By encompassing traditional banks, emerging fintech players, and critical third-party service providers, DORA seeks to mitigate systemic risks arising from disruptions or cyber incidents affecting any part of the financial ecosystem.

Current Status and Outlook for DORA

As of Spring 2024, the Digital Operational Resilience Act is in the implementation period, which lasts for two years from the time it went into effect. This means that all affected financial entities in EU markets and their critical ICT providers must be prepared to fully comply with DORA’s requirements by January 2025.While European regulators are still finalising specific technical details, DORA’s overall scope and requirements are now clear. In January 2024, European Supervisory Authorities (ESAs) published the first set of requirements under DORA for ICT and third-party risk management and incident classification. These rules are on the European Insurance and Occupational Pensions Authority’s website.