“Does DORA apply to us?” This question is generating significant uncertainty across the financial services industry — and understandably so. DORA’s scope is broader than many organisations initially assume, and the regulation’s treatment of ICT third-party service providers creates obligations for technology companies that have not previously been subject to EU financial regulation.

This post provides a systematic guide to DORA scope for both financial entities and technology providers.

Financial Entities Covered by DORA

Article 2 of DORA lists the financial entities that fall within scope. The list is comprehensive and includes:

Credit institutions (banks); payment institutions and e-money institutions; investment firms, UCITS management companies, and alternative investment fund managers; crypto-asset service providers under MiCA; insurance and reinsurance undertakings; occupational pension institutions; credit rating agencies; data reporting service providers; central securities depositories, central counterparties, and trading venues; trade repositories; managers of alternative investment funds; crowdfunding service providers; and securitisation repositories.

The breadth is significant. A fintech operating a payment institution licence is in scope. A crypto exchange operating under MiCA is in scope. A crowdfunding platform is in scope. DORA was explicitly designed to cover the full breadth of regulated financial activity — including the newer digital financial service categories that earlier EU financial regulation did not reach comprehensively.

The Proportionality Principle

DORA applies proportionality — smaller and simpler entities face lighter compliance requirements than large, systemically important ones. Microenterprises (fewer than 10 employees and annual turnover not exceeding €2 million) are explicitly exempted from several requirements. The advanced resilience testing requirements (TLPT) apply only to entities identified as significant by their competent authority. The basic ICT risk management requirements (a simplified ICT risk management framework under Article 16) apply to smaller financial entities.

Proportionality does not mean exemption. Every financial entity within DORA scope must have some level of ICT risk management framework, incident reporting capability, and third-party risk management. The depth and sophistication scale with the entity’s size and complexity.

ICT Third-Party Service Providers: A New Category

DORA creates a new regulatory category: Critical ICT Third-Party Service Providers (CTPPs). These are providers of cloud computing, software, data analytics, or data centre services to financial entities, designated as critical by the European Supervisory Authorities (ESAs) based on the systemic importance of the services they provide.

Providers designated as CTPPs face direct regulatory oversight — including mandatory registration, conduct requirements, and the right of ESAs to conduct inspections. This is a significant development: for the first time, technology companies providing services to EU financial entities face direct EU financial regulatory oversight, rather than oversight flowing entirely through their financial entity clients.

Providers that are not designated CTPPs are still subject to indirect DORA requirements — financial entities must include specific mandatory contractual provisions in their ICT service agreements, conduct due diligence on third-party providers, and manage concentration risks. Technology providers whose financial entity clients begin requesting DORA-compliant contract terms, audit rights, and evidence of ICT resilience are experiencing the indirect effects of DORA scope.

Non-EU Financial Entities with EU Operations

DORA applies to financial entities operating in the EU — not just to EU-incorporated entities. A UK-headquartered bank with EU operations, a US investment firm with EU-regulated subsidiaries, or a non-EU payment institution providing payment services in the EU through a licensed entity will have DORA-scope entities within their group. The scope question is not “are we an EU company?” but “do we have entities that are regulated under EU financial services law?”

At Bitsecura, we help organisations work through DORA scope questions — identifying which entities within a group are in scope, understanding the proportionality implications for their size and complexity, and mapping the full set of compliance obligations that apply. If you are uncertain about your DORA scope, reach out here. Scope clarity is the essential first step in compliance planning.


Bitsecura provides DORA compliance consulting and ICT risk management services for financial entities. Learn more about our DORA services.