Who needs to comply with DORA?
Quick answer
DORA (EU Regulation 2022/2554) applies to more than 20,000 financial entities regulated in the EU, including banks, payment institutions, investment firms, insurers, and crypto-asset service providers. Critical ICT third-party providers are also in scope. The regulation became binding on 17 January 2025. ---
The full answer
DORA (EU Regulation 2022/2554) defines its scope in Article 2. Twenty categories of financial entity are in scope. The European Commission's impact assessment estimated this covers more than 20,000 regulated entities across the EU.
Banks and payment institutions. Credit institutions, payment institutions (including exempt payment institutions), account information service providers, and electronic money institutions are all in scope.
Investment and capital markets. Investment firms, central securities depositories, central counterparties, trading venues, trade repositories, and data reporting service providers must comply.
Asset management. Alternative investment fund managers (AIFMs) and UCITS management companies are included.
Insurance and pensions. Insurance undertakings, reinsurance undertakings, and all categories of intermediaries (insurance, reinsurance, and ancillary insurance) are in scope. Institutions for occupational retirement provision (IORPs) are included too.
Newer regulated categories. Crypto-asset service providers authorised under MiCA (Regulation 2023/1114), credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, and securitisation repositories round out the list.
ICT third-party providers. DORA breaks with the traditional model of financial regulation by pulling technology vendors into scope directly. EBA, ESMA, and EIOPA designate specific providers as critical ICT third-party service providers (CTPPs). A CTPP gets a Lead Overseer from one of the ESAs and faces on-site inspections, information requests, and binding recommendations. Non-designated ICT providers are still affected through mandatory contractual requirements their financial entity clients must impose.
Proportionality and exemptions
Article 2(3) carves out central banks, national competent authorities, and public bodies. Microenterprises (fewer than 10 employees, annual turnover and balance sheet below €2 million) get a simplified regime under Article 4. They're exempt from advanced resilience testing and certain governance obligations.
Small and non-interconnected investment firms get proportional treatment under Article 16.
Article 4's proportionality principle runs through all of DORA: requirements apply "in a manner and to the extent proportionate to size, overall risk profile, and the nature, scale and complexity" of operations. A large universal bank and a small crowdfunding platform are both in scope, but the operational burden looks very different.
Geographic scope
Entities authorised or registered in the EU must comply regardless of parent company location. ICT providers outside the EU can be designated as critical if they serve EU financial entities and meet ESA designation thresholds. A non-EU CTPP must establish an EU subsidiary within 12 months of designation.
DORA became applicable on 17 January 2025, following publication in the Official Journal of the EU on 27 December 2022. The EBA's DORA section tracks regulatory and implementing technical standards as they are finalised. ESMA publishes parallel guidance for capital markets entities.
Why this matters
For compliance teams, DORA's scope question has two practical angles: whether your organisation is directly in scope and whether your ICT vendors are.
If you're a financial entity. Being in scope means four things to operationalise: an ICT risk management framework (Articles 5-16), an incident classification and reporting process with tight deadlines, a resilience testing programme including threat-led penetration testing at least every three years for significant entities, and updated contracts with every ICT provider that touches your operations.
The incident reporting timelines are where most organisations get caught out. The initial notification to your national competent authority must go in within 4 hours of classifying an incident as major (and no later than 24 hours after first becoming aware). An intermediate report follows within 72 hours. A final report is due within one month of resolution. Most teams that haven't specifically prepared for DORA struggle to classify correctly, escalate it internally, draft the notification, and submit within that first window. This is a known pressure point that regulatory examiners will focus on.
If you're an ICT provider. Even without CTPP designation, your financial entity clients are already pushing DORA-mandated clauses into contract renegotiations: audit rights, business continuity requirements, data portability, and incident notification obligations. CTPP designation raises the stakes considerably. Fines can reach 1% of global average daily worldwide turnover, applied daily for up to six months under Article 35(6).
The third-party risk chain. Articles 28-44 require financial entities to maintain a register of all ICT arrangements, conduct due diligence before entering material contracts, and document exit strategies. If a critical provider fails and causes a service outage, regulators will ask to see documented contingencies. Systematic failures at this level are the type of governance gap that can escalate to a formal monitorship in the most serious cases.
The EU AI Act overlap. Financial entities that use AI systems for compliance functions face dual obligations. DORA governs the ICT infrastructure those systems run on; the EU AI Act governs the models themselves if they qualify as high-risk AI. Meeting one regulation doesn't satisfy the other. Operational resilience obligations under DORA and conformity obligations under the AI Act run in parallel.
The consequences of DORA non-compliance follow a similar escalation path to what we've seen with AML enforcement. What happens when a bank fails a regulatory exam maps closely to how national competent authorities are expected to respond to DORA gaps: remediation plans first, then formal action if those plans are not delivered.
Related questions
- What triggers a regulatory exam? - DORA compliance gaps are a direct supervisory trigger for EU financial regulators
- Who needs to comply with the EU AI Act? - Overlapping scope for financial entities deploying AI in regulated functions
- When does the EU AI Act take effect? - Parallel regulatory timeline affecting the same institutions as DORA
- What happens when a bank fails an AML exam? - Enforcement mechanics that apply similarly to DORA supervisory findings
- What is a monitorship and when is one imposed on a bank? - Enforcement escalation path relevant to systemic DORA failures
Related concepts and regulations
- Can AI be used for AML transaction monitoring? - AI monitoring systems are ICT systems subject to DORA's risk management framework
- How does sanctions screening work? - Screening infrastructure must meet DORA's operational resilience requirements
- What is perpetual KYC? - Continuous monitoring technology falls squarely under DORA's ICT risk obligations
- How do mule accounts get detected? - Fraud detection systems are ICT systems in scope for DORA resilience requirements