Which organisations are in scope for DORA?

The Digital Operational Resilience Act (DORA) is a regulation that applies to the financial sector. There are 20 different types of financial entities in scope for DORA. Another category of organisations in scope for DORA are critical third-party service providers to the financial entities that are in scope.

Financial entity types in scope for DORA

• Credit institutions
• Payment institutions
• Account information service providers
• Electronic money institutions
• Investment firms
• Crypto-asset service providers and issuers of asset-referenced tokens
• Central securities depositories
• Central counterparties
• Trading venues
• Trade repositories
• Managers of alternative investment funds
• Management companies
• Data reporting service providers
• Insurance and reinsurance undertakings
• Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
• Institutions for occupational retirement provision
• Credit rating agencies
• Administrators of critical benchmarks
• Crowdfunding service providers
• Securitisation repositories

Financial entity types that are NOT in scope for DORA

• Managers of alternative investment funds
• Insurance and reinsurance undertakings
• Institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total
• Natural or legal persons exempt in accordance with Articles 2 and 3 of Directive 2014/65/EU
• Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are microenterprises or small or medium-sized enterprises
• Post office giro institutions

Source: Article 2, Regulation (EU) 2022/2554