DORA: In-Scope Entities

DORA introduces significant new requirements for financial entities and their Third-Party ICT Service Providers

DORA applies to licensed financial institutions, such as banks, insurance companies, investment firms, stock exchanges, fintech, etc. and ICT third-party service providers like cloud computing services, software, data analytics services and data centres. These organisations will have to implement the regulation and become fully compliant by the end of 2024.

DORA puts the relationship between the financial institutions and their technology suppliers in a new light to jointly address the regulatory requirements. Financial entities and ICT third-party service providers need increased collaboration in their journey towards compliance with DORA. Financial institutions need to be reassured that their providers are qualified partners in preparation for this paradigm shift. Without this reassurance, financial institutions will need to look for alternative providers. 


DORA In-scope entities as per 'Article 2 - Scope'


Financial Entities

ICT Third-party Service Providers*

  • Credit institutions
  • Providers of cloud computing services
  • Payment institutions
  • Software
  • Account information service providers
  • Data Analytics services
  • Electronic money institutions
  • Providers of data centre services
  • Investment firms
  • Undertakings that are part of a financial group and provide ICT services predominantly to their parent undertaking, or to subsidiaries or branches of their parent undertaking
  • Crypto-asset service providers and issuers of asset-referenced tokens
  • Financial entities providing ICT services to other financial entities
  • Central securities depositories
  • Participants in the payment services ecosystem, providing payment-processing activities or operating payment infrastructure
  • Central counterparties
* the entities listed are examples of ICT Third Party Service Providers
  • Trading venues
  • Trade repositories
  • Managers of alternative investment funds
  • Management companies
  • Data reporting service providers
  • Insurance and reinsurance undertakings
  • Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
  • Institutions for occupational retirement provision
  • Credit rating agencies
  • Administrators of critical benchmarks
  • Crowdfunding service providers
  • Securitisation repositories


This Regulation does not apply to: 

  • managers of alternative investment funds as referred to in Article 3(2) of Directive 2011/61/EU; 
  • insurance and reinsurance undertakings as referred to in Article 4 of Directive 2009/138/EC; 
  • institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total; 
  • natural or legal persons exempted pursuant to Articles 2 and 3 of Directive 2014/65/EU; 
  • insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are micro-enterprises or small or medium-sised enterprises; 
  • post office giro institutions as referred to in Article 2(5), point (3), of Directive 2013/36/EU. 

Our Key Experts

Get in touch with our experts on DORA

DORA Compliance Program

DORA Compliance: Our BDO Solution

Our Technology experts can help you with a DORA Compliance program
Learn more