DORA applies to a wide range of organisations, including licensed financial institutions, such as banks, insurance companies, investment firms, stock exchanges, fintech companies, etc. and ICT third-party service providers like cloud computing services, software, data analytics services and data centres.
DORA puts the relationship between the financial institutions and their technology suppliers in a new light to jointly address the regulatory requirements.
Financial entities and ICT third-party service providers need increased collaboration in their journey towards compliance with DORA. Financial institutions need to be reassured that their providers are qualified partners in preparation for this paradigm shift. Without this reassurance, financial institutions will need to look for alternative providers.
DORA In-scope entities
Financial Entities | ICT Third-party Service Providers* |
| - Providers of cloud computing services
|
| |
- Account information service providers
| |
- Electronic money institutions
| - Providers of data centre services
|
| - Undertakings that are part of a financial group and provide ICT services predominantly to their parent undertaking, or to subsidiaries or branches of their parent undertaking
|
- Crypto-asset service providers and issuers of asset-referenced tokens
| - Financial entities providing ICT services to other financial entities
|
- Central securities depositories
| - Participants in the payment services ecosystem, providing payment-processing activities or operating payment infrastructure
|
| *This is not an exhaustive list. Please contact us for an assessment relevant to your business |
| |
| |
- Managers of alternative investment funds
| |
| |
- Data reporting service providers
| |
- Insurance and reinsurance undertakings
| |
- Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
| |
- Institutions for occupational retirement provision
| |
| |
- Administrators of critical benchmarks
| |
- Crowdfunding service providers
| |
- Securitisation repositories
| |
This Regulation does not apply to:
- managers of alternative investment funds as referred to in Article 3(2) of Directive 2011/61/EU;
- insurance and reinsurance undertakings as referred to in Article 4 of Directive 2009/138/EC;
- institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total;
- natural or legal persons exempted pursuant to Articles 2 and 3 of Directive 2014/65/EU;
- insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are micro-enterprises or small or medium-sised enterprises;
- post office giro institutions as referred to in Article 2(5), point (3), of Directive 2013/36/EU.