DORA for Investment Firms
Investment firmsauthorised under MiFID are within DORA's scope under Article 2. DORA applies proportionately: small and non-interconnected investment firms may use a simplified ICT risk-management framework, while larger firms face the full regime. DORA has applied since 17 January 2025.
Proportionality is central
DORA explicitly scales obligations. Small and non-interconnected investment firms, and firms that qualify as microenterprises, may apply a simplified ICT risk-management framework and are generally out of scope for mandatory TLPT.
What still applies to everyone
- Governance and accountability for ICT risk at management-body level.
- Major-incident classification and reporting.
- A register of information on ICT third-party arrangements.
Trading-critical systems
Firms running order-management, execution or market-data systems should treat availability and integrity as first-order resilience risks and test accordingly.
Frequently asked questions
Do small investment firms get relief under DORA?
Yes. Small and non-interconnected investment firms may use a simplified ICT risk-management framework and are generally outside mandatory TLPT.
Are investment firms named in DORA?
Yes, investment firms are among the financial entities listed in Article 2.
Does the simplified framework mean no incident reporting?
No. Major-incident reporting still applies; the simplification concerns the depth of the risk-management framework, not the reporting duty.