Who must comply with DORA?
DORA applies to around 20 categories of financial entity under Article 2, plus the ICT third-party providers that serve them. Pick your entity type to see which obligations bite hardest and where proportionality helps. Start with what DORA is if you are new to the regulation.
Banks & credit institutions
Full ICT framework, TLPT for significant banks, register of information.
See scopeInsurance & reinsurance
Insurers, reinsurers and intermediaries, with proportionality relief.
See scopePayment & e-money institutions
Incident reporting and resilience testing are especially material.
See scopeInvestment firms
MiFID firms, with a simplified framework for small, non-interconnected firms.
See scopeCrypto-asset service providers
MiCA-authorised CASPs must build DORA compliance across all five pillars.
See scopeFintech startups
Scope depends on licence; microenterprises get a simplified framework.
See scopeICT third-party providers
Pulled in via clients' contractual and register obligations.
See scopeCritical ICT providers
Designated providers face a direct EU oversight framework (Art 31).
See scope