Article 2 Digital Operational Resilience Act (DORA), Personal Scope

Article 2 of the Digital Operational Resilience Act (DORA) outlines the personal scope of the regulation, clearly identifying the entities and individuals that must comply with its provisions. This section is essential for delineating the reach of DORA, ensuring that all relevant financial institutions and third parties are subject to its digital resilience standards. By establishing who is covered under DORA, the regulation sets the foundation for enforcing stringent cybersecurity measures across the financial sector, thereby safeguarding against ICT-related disruptions and cyber threats.

Scope of Financial Entities Under DORA

The regulation applies to a comprehensive range of entities within the financial sector, collectively referred to as ‘financial entities.’ These include:

• Credit Institutions: Banks and similar entities that accept deposits and provide loans, playing a vital role in facilitating transactions and extending credit to individuals and businesses.

• Payment Institutions: Entities that offer services related to fund transfers, such as payments and money transfers, without necessarily accepting deposits like traditional banks.

• Electronic Money Institutions: Organizations that issue electronic money, representing fiat currency stored electronically, facilitating digital transactions and online payments.

• Investment Firms: Companies providing investment services, including managing investments, offering financial advice, or executing trades for clients. This category includes brokers, asset managers, and investment advisors.

• Companies Offering Cryptoasset Services: Businesses involved in providing services related to cryptocurrencies and digital tokens, such as trading, custody, or advisory services for digital assets.

• Issuers of Asset-Referenced Tokens and Significant Tokens: Entities that issue digital tokens backed by assets or with substantial economic value. Asset-referenced tokens are linked to specific assets or baskets of assets, while significant tokens are distinguished by their widespread use or economic impact.

• Central Securities Depositories (CSDs): Institutions responsible for holding and managing securities on behalf of investors, facilitating the transfer and settlement of securities transactions.

• Central Counterparties (CCPs): Entities acting as intermediaries in financial transactions, especially in derivatives and securities markets, by assuming counterparty risk to ensure trades are completed even if one party defaults.

• Trading Venues: Platforms where financial instruments are bought and sold, including stock exchanges and electronic trading systems, enabling the trading of securities, commodities, and other financial products.

• Trade Repositories: Organizations that collect and maintain data on derivatives trades, enhancing market transparency by storing and sharing trade information with regulators.

• Managers of Alternative Investment Funds (AIFs): Firms managing funds that invest in non-traditional assets such as private equity, hedge funds, or real estate.

• Management Companies: Firms that manage investment funds or portfolios on behalf of investors, overseeing the day-to-day operations and decision-making processes for the funds.

DORA Compliance Framework

In addition to the entities mentioned above, DORA also applies to the following:

• Data Reporting Service Providers (DRSPs): Entities offering services related to financial data reporting, ensuring compliance with regulatory requirements and enhancing market transparency.

• Insurance and Reinsurance Undertakings: Companies providing insurance coverage to mitigate risks, with reinsurance undertakings offering insurance to insurance companies to manage their risk exposure.

• Insurance Intermediaries, Reinsurance Intermediaries, and Ancillary Insurance Intermediaries: Brokers, agents, and other entities involved in the distribution and sale of insurance and reinsurance products.

• Institutions for Occupational Retirement Pensions: Organizations managing pension schemes for employees, ensuring proper management of pension funds and providing retirement benefits.

• Credit Rating Agencies: Agencies that evaluate the creditworthiness of issuers of debt securities and financial instruments, influencing borrowing costs and investment decisions.

• Statutory Auditors and Audit Firms: Professionals and firms that audit financial statements, ensuring accuracy and compliance with accounting standards and regulations.

• Administrators of Critical Benchmarks: Entities managing and publishing financial benchmarks used as reference points for financial contracts, such as interest rates or commodity prices, maintaining market integrity.

• Crowdfunding Service Providers: Platforms facilitating the raising of funds for projects or ventures from large numbers of people, typically through online platforms.

• Securitisation Repositories: Entities collecting and maintaining data on securitisation transactions, ensuring transparency and regulatory compliance.

• ICT Third-Party Service Providers: Companies providing information and communication technology services to financial entities, including cloud computing, data storage, and cybersecurity solutions.

Broad Applicability of DORA

DORA’s scope is notably broad, encompassing both traditional financial service providers, such as banks and insurance companies, and newer entities like crowdfunding platforms and digital asset service providers. A key aspect of this regulation is the inclusion of ICT third-party service providers, reflecting the critical role that outsourced IT services play in supporting financial operations.

By bringing these diverse entities under a unified regulatory framework, DORA aims to establish consistent standards for ICT risk management, incident reporting, resilience testing, and oversight across the financial sector. This comprehensive approach ensures that all significant actors within the financial ecosystem adhere to robust cybersecurity measures, enhancing overall financial stability, protecting consumer interests, and fostering trust in financial markets.