DORA: In-Scope Entities

DORA introduces significant new requirements for financial entities and their Third-Party ICT Service Providers

Get in touch

DORA applies to a wide range of organisations, including licensed financial institutions, such as banks, insurance companies, investment firms, stock exchanges, fintech companies, etc. and ICT third-party service providers like cloud computing services, software, data analytics services and data centres. 

DORA puts the relationship between the financial institutions and their technology suppliers in a new light to jointly address the regulatory requirements. 

Financial entities and ICT third-party service providers need increased collaboration in their journey towards compliance with DORA. Financial institutions need to be reassured that their providers are qualified partners in preparation for this paradigm shift. Without this reassurance, financial institutions will need to look for alternative providers. 

 

DORA In-scope entities 

  • Credit institutions
  • Payment institutions
  • Account information service providers
  • Electronic money institutions
  • Investment firms
  • Crypto-asset service providers and issuers of asset-referenced tokens
  • Central securities depositories
  • Central counterparties
  • Trading venues
  • Trade repositories
  • Managers of alternative investment funds
  • Management companies
  • Data reporting service providers
  • Insurance and reinsurance undertakings
  • Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
  • Institutions for occupational retirement provision
  • Credit rating agencies
  • Administrators of critical benchmarks
  • Crowdfunding service providers
  • Securitisation repositories

  •  Providers of cloud computing services
  • Software
  • Data Analytics services
  • Providers of data centre services
  • Undertakings that are part of a financial group and provide ICT services predominantly to their parent undertaking, or to subsidiaries or branches of their parent undertaking
  • Financial entities providing ICT services to other financial entities
  • Participants in the payment services ecosystem, providing payment processing activities or operating payment infrastructure.

*This is not an exhaustive list. Please contact us for an assessment relevant to your business.


This Regulation does not apply to: 

  • managers of alternative investment funds as referred to in Article 3(2) of Directive 2011/61/EU; 
  • insurance and reinsurance undertakings as referred to in Article 4 of Directive 2009/138/EC; 
  • institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total; 
  • natural or legal persons exempted pursuant to Articles 2 and 3 of Directive 2014/65/EU; 
  • insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are micro-enterprises or small or medium-sised enterprises; 
  • post office giro institutions as referred to in Article 2(5), point (3), of Directive 2013/36/EU. 

Our Key Experts

Get in touch with our experts on DORA

Ivan Spiteri Director Technology BDO Malta

Ivan Spiteri

Director of Technology Advisory & Assurance
View bio
DORA Compliance Program

DORA Compliance: Our BDO Solution

Our Technology experts can help you with a DORA Compliance program
Learn more

DORA Insights

Explore our articles and resources on DORA