Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NL·EN
Explainer

Does my firm fall under DORA?

Adopted 2026-06-28 · ≈ 1 min read · Dirk Baaijen

DORA applies to an exhaustively listed set of financial entities — from banks and insurers to payment institutions, crypto providers and their critical ICT providers. Small, non-interconnected entities may use a simplified framework. This explainer helps you determine whether you are in scope.

Short answer: DORA lists the entities in scope exhaustively. If you carry out a regulated financial activity from that list, you are in scope — regardless of size. Small and non-interconnected undertakings may use a simplified ICT risk framework. In the Netherlands, DNB and AFM supervise.

Who is in scope

Among others: credit institutions (banks), payment institutions, electronic money institutions, investment firms, crypto-asset service providers, central counterparties and central securities depositories, trading venues, insurers and reinsurers, insurance intermediaries, alternative investment fund managers and management companies, and crowdfunding service providers. A separate oversight framework applies to critical ICT providers (CTPPs) serving these entities.

It is about the regulated activity, not the name

Scope follows the licence/activity, not the company name or sector. A logistics or industrial group with its own payment or financing entity falls under DORA for that part. So assess per entity and per activity. If you are also an essential sector under NIS2, DORA applies as the more specific rule to the financial part — see DORA or NIS2: which applies?.

Proportionality: the simplified framework

Not every entity runs the same regime. Small, non-interconnected undertakings and certain micro-entities may use a simplified ICT risk management framework covering the core elements without the full weight. Determine your category first; the ESAs' technical standards describe both variants.

In doubt?

Determine: (1) do you carry out a listed entity/activity? (2) are you under the simplified or the full framework? When in doubt, test against Article 2 and national implementation.

Lees ook: DORA guide and DORA readiness roadmap.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2022/2554/oj
    Regulation (EU) 2022/2554 (DORA), Article 2 — scope and list of financial entities; applicable since 17 January 2025.
  2. https://www.eba.europa.eu/regulation-and-policy/digital-operational-resilience-dora
    EBA — DORA: proportionality and the simplified ICT risk framework.

Share on LinkedIn

Read next

W

DORA guide: does it apply to you and what must you arrange?

DORA (Regulation (EU) 2022/2554) has applied since 17 January 2025 to financial entities and their critical ICT providers. Five pillars: ICT risk management, incident reporting, resilience testing, third-party ICT risk and information sharing. This guide points the way per pillar.

U

Third-party ICT risk under DORA: contracts, register and oversight

DORA sets requirements for ICT outsourcing: mandatory contract clauses, a register of information on all ICT providers, and an EU oversight framework for ICT providers designated as critical.

U

Incident reporting under DORA: when and how to report?

DORA requires financial entities to classify and report major ICT incidents to the competent supervisor, with an initial, intermediate and final report. Significant cyber threats may be reported voluntarily.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject — programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method →

A project or programme? Work with YRproject →

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.