Skip to main content
DORA Auditor

DORA for Investment Firms

Last updated: 2 authoritative sourcesDORA Auditor Editorial Team

Investment firmsauthorised under MiFID are within DORA's scope under Article 2. DORA applies proportionately: small and non-interconnected investment firms may use a simplified ICT risk-management framework, while larger firms face the full regime. DORA has applied since 17 January 2025.

Proportionality is central

DORA explicitly scales obligations. Small and non-interconnected investment firms, and firms that qualify as microenterprises, may apply a simplified ICT risk-management framework and are generally out of scope for mandatory TLPT.

What still applies to everyone

Trading-critical systems

Firms running order-management, execution or market-data systems should treat availability and integrity as first-order resilience risks and test accordingly.

Frequently asked questions

Do small investment firms get relief under DORA?
Are investment firms named in DORA?
Does the simplified framework mean no incident reporting?

Sources

  1. Regulation (EU) 2022/2554 (DORA), EUR-Lex
  2. ESMA, Digital Operational Resilience Act (DORA)