Adoptech logo
Sign in
GovernanceComplianceDORA

Who does DORA apply to?

If you’re looking for answers to your ‘Who does DORA apply to?’ questions, then this article is just for you.

With so much confusion around who DORA applies to, we explain who the specific organisations are that need to comply with DORA, plus breakdown the financial entities and ICT third-party service providers it covers.

So let’s dive in…

Quick Overview of DORA

The Digital Operational Resilience Act (DORA) is a crucial piece of legislation within the European Union aimed at enhancing the digital resilience of financial entities and their service providers. DORA came into force on 16 January 2023 and will be enforced as of 17 January 2025. Enacted in response to the growing complexity of the financial sector’s IT systems, DORA establishes a comprehensive framework for managing and mitigating risks related to information and communication technology (ICT).

DORA is designed to ensure that financial entities can withstand, respond to, and recover from ICT-related disruptions and threats. This regulation mandates stringent requirements for managing ICT risks, reporting incidents, conducting digital operational resilience testing, and managing relationships with ICT third-party service providers. The goal is to create a more robust and resilient financial system capable of enduring cyber threats and operational disruptions.

Non-compliance with DORA may result in significant fines which is why the legislation is being likened to GDPR.

DORA’s timeline

16th Jan 2023

DORA has already entered into force

17th Jan 2024

A number of Final Reports on draft Regulatory Technical Standards (RTS) were released providing guidance on the implementation of DORA

17th Jul 2024

Additional Regulatory Technical Standards (RTS) are due to be released providing additional guidance on areas including, but not limited to, the format of reports for major incidents and the criteria used to designate third-party service providers as critical (CTPPs)

17th Jan 2025

Organisations have been granted a transition period until January 2025 to achieve full compliance

Organisations covered by DORA

Financial sector firms

DORA will lead to substantial changes for entities under the supervision of ESMA or EIOPA, as well as for banks that already adhere to existing EBA guidelines. DORA extends its scope to include financial sector organisations that were previously not subject to comprehensive information security or operational resilience regulations. For example, crypto-asset service providers, intermediaries, managers of alternative investment funds, crowdfunding service providers, cloud-service providers, and ICT third-party service providers.

Since Brexit, many UK financial entities have established an EU presence to support their current or planned activities, making them subject to DORA regulations as well.

UK financial organisations are governed by various UK regulations and regulators, such as NIS, the Financial Conduct Authority (FCA), and the Prudential Regulatory Authority (PRA). UK regulators have introduced the UK operational resilience regimes and are working on a UK critical third party regime, these are broadly principal based but there is clear alignment with DORA.

List of organisations in scope:

  • credit institutions
  • payment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366;
  • account information service providers;
  • electronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC;
  • investment companies;
  • crypto-asset service providers as authorised under a Regulation of the European Parliament and of the Council on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (‘the Regulation on markets in crypto-assets’) and issuers of asset-referenced tokens;
  • central securities depositories;
  • central counterparties;
  • trading venues
  • trade repositories
  • managers of alternative investment funds
  • management companies;
  • data reporting service providers
  • insurance and reinsurance undertakings;
  • insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;
  • institutions for occupational retirement provision;
  • credit rating agencies;
  • administrators of critical benchmarks;
  • crowdfunding service providers
  • securitisation repositories
  • ICT third-party service providers

Are you a ICT Third-Party Service Provider (TPSP) or a Critical Third-Party Provider (CTPPs)?

The definition of an ICT third-party service provider (TPSP) is very broad. In summary, if you are providing hardware, software or data services to an EU regulated financial services firm you are very likely to be considered a TPSP and inscope of the legislation.

Your clients, the financial service firms are required to carry out due diligence and ongoing oversight on the services you are providing. The level of oversight that they need to carry out is driven by the risk your service poses to their business operations. If your service supports a critical or important function then the level of due-diligence and oversight is

What is a Critical Third-Party Provider (CTPPs)?

Certain third-party service providers may be designated as systemically important to financial services in the EU. If there were an operational failure to the provider it would impact the stability, continuity or quality of the provision of financial services. Those companies may be designated as critical third-party service providers (CTPPs).

Under DORA, a new oversight regime for CTPPs has been established. CTPPs won’t be directly regulated but will be subject to direct oversight by Lead Overseers. Additionally, CTPPs will be obligated to cover the costs of oversight. The specific organisations designated as CTPPs have yet to be determined.

Whilst there will be direct regulatory oversight, the responsibility for outsourcing activities to CTPPs remains with the regulated financial entities, who must maintain a register of outsourced services.

The premise is that whilst financial service organisations may choose to outsource services to third-parties, who may in turn rely on fourth-party providers, the financial service organisation cannot outsource responsibility, therefore, external third-party providers and subcontractors should be treated in the same manner as internal teams and subject to the same policies and risk management framework.

Although DORA has not produced the list of designated CTPPs as of the writing of this article, we envision the list to include the following types of critical ICT-related services (CTPPs) to financial entities:

Cloud Service Providers: As financial entities increasingly rely on cloud services for their operations, ensuring the resilience of these service providers is essential.

Data Analytics and Processing Providers: These companies handle vast amounts of sensitive financial data and underpin the ongoing operation of many services.

Software Providers: Firms providing essential software applications to multiple financial entities present a concentration risk as a consequence they may be deemed as CTPPs.

Data Centre Providers: The physical and digital security of data centres is crucial to operational resilience therefore many data centre providers are likely to be deemed CTPPS.

I’m a supplier to a FinTech, will I be impacted by DORA?

Subcontractors, sometimes known as fourth-parties, providing ICT services to another ICT third-party service provider will be in scope if they underpin ICT services supporting critical or important functions. The aim being to mitigate supply chain risk.

Are you looking to implement DORA successfully?

The Adoptech team can provide:
Expertise

Adoptech professionals offer extensive expertise in compliance, legal, information security, operational resilience and third-party risk management to both the financial sector and ICT providers. The team offers comprehensive solutions to help companies navigate the complexities of DORA implementation and establish robust frameworks for ongoing compliance and resilience.

Our services are underpinned by secure, state-of-the art technology solutions that ensure ongoing compliance is effective and efficient.

Automation

We believe that the future of compliance is automated. The founding team spent many years automating trading flows and building automated RegTech solutions. The same approach, combining a technology-first mindset with expertise is being applied to DORA.

Within our platform, users can conduct a gap analysis, define roles and responsibilities, assign tasks, monitor risks, track controls, oversee third-parties, and generate various mandatory DORA reports and policies.

Audit & Compliance

Demonstrate your organisation’s commitment to digital operational resilience and provide valuable insights and assurance to senior management, regulators and stakeholders with a comprehensive DORA report.

Trusted audit companies conduct an independent audit covering the five areas of DORA, generating a detailed DORA audit report. This independent report, along with the annual review on ICT risk management, forms a robust demonstration of your organisation’s dedication to DORA compliance.

Insights & Value

Cost-effectiveness. Despite the imposition of an audit, consider the potential cost of a data breach. In 2021, a single data breach cost, on average, $4.2 million—a figure that continues to rise annually.

Regulatory compliance. Unlike SOC 2, ISO 27001, and NIST compliance, DORA compliance is mandatory by law. Non-compliance can lead to substantial fines. Critical third-party technology providers can face fines of up to 1% of their average daily worldwide turnover, per day until compliance is achieved, with fines possible for up to six months.
Peace of mind. Successfully passing a DORA audit provides assurance that your organisation has implemented controls to ensure operational resilience, safeguarding your business and customer data.

Customer demand. Protecting data from unauthorised access is a priority for your clients, having a DORA report can help build trust with customers whether you are a financial institution or a fintech.

A DORA report offers valuable insights into your organisation’s risk and security posture, management of third-party risks, governance of internal controls, readiness for incidents and more.

Are you ready for DORA? Need to know more?

Download our latest resource ‘An Overview to DORA’ where we breakdown and answer the following:
  • Why DORA was introduced
  • Key dates and compliance timelines
  • Does DORA apply to your business?
DOWNLOAD OVERVIEW

Are you ready for DORA? Need to know more?

Download our latest resource ‘An Overview to DORA’ where we breakdown and answer the following:
  • Why DORA was introduced
  • Key dates and compliance timelines
  • Does DORA apply to your business?
DOWNLOAD OVERVIEW

Where can I learn more?

If you would like to know more about the DORA and understand how you can achieve compliance efficiently, contact us today.

The Regulation’s official reference is Regulation (EU) 2022/2554.

The text of the regulation is available from here.

A more user-friendly, hyperlinked, and searchable (unofficial) version has been published here.

Find more of our latest news posts here.

Al Goodwin
Back to News

Further articles