DORA Scope Explained. Are You Impacted?

Visual_Blog

DORA is the broadest-scope ICT security regulation in EU history. Designed to enhance and harmonise digital resilience within the European financial market, DORA will impact thousands of EU entities.

PWC estimates that DORA will directly apply to at least 22,000 organisations. In our opinion, DORA, via its customer-focused remit, will likely apply to even more.

This blog covers who is and is not in scope of DORA based on research into the official EU legal text and various prior regulations referred to within DORA.


Organisations NOT In Scope of DORA

The quickest way to determine whether your organisation is in scope of DORA is to compare it to the kinds of organisations we have determined are not in scope of DORA.

DORA-exempt organisations include:

Non-financial entities (with the exception of ICT third-party service providers)

Companies and organisations operating outside the financial services sector, such as retail, education, healthcare (excluding their financial services units), and manufacturing, are not directly impacted by DORA.

(Some) alternative investment fund managers

Some (not all) alternative investment fund managers (AIFM), as referred to in Article 3(2) of Directive 2011/61/EU, are exempt from DORA.

Exempt AIFMs must manage or control (either directly or via a linked company under common management or significant holding):

Some insurance and reinsurance undertakings (i.e., those covered under Article 4 of Directive 2009/138/EC)

To be exempt from DORA, insurance and reinsurance businesses need to tick all of the following boxes:

Very small institutions for occupational retirement provision

Only those operating pension schemes with less than 15 members in total are exempt from DORA.

Natural or legal persons exempted under Articles 2 and 3 of Directive 2014/65/EU

This includes:

Insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries qualifying as microenterprises or as small/medium-sized enterprises

As per the DORA:

Microenterprise means a financial entity other than a trading venue, a central counterparty, a trade repository, or a central securities depository that employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million.

Small enterprise means a financial entity that employs 10 or more people but fewer than 50 and has an annual turnover and/or annual balance sheet total that exceeds EUR 2 million but does not exceed EUR 10 million.

A medium-sized enterprise is a financial entity that is not a small enterprise, employs fewer than 250 persons, and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million.

Post office giro institutions

Financial establishments that offer banking services, like money transfer, through the postal network are outside the scope of DORA.

Businesses providing non-critical ICT services to the financial sector (with some exceptions)

Third-party ICT service providers that do not offer critical services to the financial sector or whose services do not fall under the criteria set for critical third-party providers are not directly impacted by DORA.

However, they may be indirectly impacted due to DORA’s requirements around FSI contracting requirements.

For example, financial entities may only contract with ICT third-party service providers that comply with appropriate information security standards.

Financial entities outside the EU that do not serve the EU financial sector

Non-EU entities that do not provide financial services to the EU market and are not critical ICT third-party service providers to EU financial entities are not impacted by DORA.

Country-specific institutions based on a list of entities from Article 2(5) in Directive 2013/36/EU (Optional by the country in question)

Member States may exclude from the scope of this Regulation entities referred to in Article 2(5), points (4) to (23), of Directive 2013/36/EU that are located within their respective territories.

The list of optionally excluded institutions per country is as follows:


Organisations That ARE In Scope of DORA

If you are a financial organisation trading in the EU or with EU customers and don’t match any of the business categories mentioned in the first part of this article, you are likely within DORA's scope.

If you are a financial institution that could be defined as a:

Or have been determined by the ESA to be a critical ICT third-party service provider (CTPP).

You ARE in scope of DORA.


DORA Scope Proportionality

DORA is broad in scope, but it is also proportional.

Proportionality will be used at all levels to assess the degree of DORA compliance a covered organisation needs to have.

Microenterprises, “very small entities” (defined as having a turnover of less than €2 million/year and less than 10 employees), and simple IT environments require different reporting levels compared to large entities with complex risk profiles.

Take these two hypothetical examples:

Large multinational bank

Wide-ranging operations across the EU, heavy reliance on complex ICT systems and critical third-party ICT services.

Likely DORA requirements:

Small local investment firm

Local scope with limited services, uses basic ICT infrastructure, and engages few non-critical third-party services.

Likely DORA requirements:

Certain organisations, like small institutions for occupational retirement provision, with less than 100 members, will be subject to a very light regulatory framework under the relevant sector-specific Union law.


SECFORCE Is An Expert DORA Consultancy Firm

SECFORCE has extensive experience helping financial service entities and businesses build resilience, test their systems, and navigate compliance journeys like the ones they will encounter with DORA.

If you want help with your DORA compliance efforts, contact us.

You may also be interested in...

IoT
July 10, 2024

IoT Security Legislation Roundup

With the Cyber Resilience Act (CRA) on the horizon, we created this up-to-date roundup of existing mandatory and voluntary IoT-specific legislation.

See more
6 Features of Any Good Red Team Assessment
Jan. 11, 2024

6 Features of Any Good Red Team Assessment

What does it take for your organisation to make the most out of a Red Team Assessment?

See more