Article 2, Scope, Digital Operational Resilience Act (DORA)

Overview

1. Without prejudice to paragraphs 3 and 4, this Regulation applies to the following entities:

(a) credit institutions;

(b) payment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366;

(c) account information service providers;

(d) electronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC;

(e) investment firms;

(f) crypto-asset service providers as authorized under a Regulation of the European Parliament and of the Council on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (‘the Regulation on markets in crypto-assets’) and issuers of asset-referenced tokens;

(g) central securities depositories;

(h) central counterparties;

(i) trading venues;

(j) trade repositories;

(k) managers of alternative investment funds;

(l) management companies;

(m) data reporting service providers;

(n) insurance and reinsurance undertakings;

(o) insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;

(p) institutions for occupational retirement provision;

(q) credit rating agencies;

(r) administrators of critical benchmarks;

(s) crowdfunding service providers;

(t) securitization repositories;

(u) ICT third-party service providers.


2. For the purposes of this Regulation, entities referred to in paragraph 1, points (a) to (t), shall collectively be referred to as ‘financial entities’.


3. This Regulation does not apply to:

(a) managers of alternative investment funds as referred to in Article 3(2) of Directive 2011/61/EU;

(b) insurance and reinsurance undertakings as referred to in Article 4 of Directive 2009/138/EC;

(c) institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total;

(d) natural or legal persons exempted pursuant to Articles 2 and 3 of Directive 2014/65/EU;

(e) insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are microenterprises or small or medium-sized enterprises;

(f) post office giro institutions as referred to in Article 2(5), point (3), of Directive 2013/36/EU.

4. Member States may exclude from the scope of this Regulation entities referred to in Article 2(5), points (4) to (23), of Directive 2013/36/EU that are located within their respective territories. Where a Member State makes use of such option, it shall inform the Commission thereof as well as of any subsequent changes thereto. The Commission shall make that information publicly available on its website or other easily accessible means.

Summary Of Article 2

Article 2 of the Digital Operational Resilience Act (DORA) defines its scope, specifying the entities to which the Regulation applies. It includes a wide range of financial entities, such as credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, trading venues, insurance and reinsurance undertakings, crowdfunding service providers, and ICT third-party service providers. Collectively, these are referred to as “financial entities.”

The Regulation excludes certain groups, such as specific managers of alternative investment funds, insurance and reinsurance undertakings, small occupational retirement schemes with fewer than 15 members, micro or small insurance intermediaries, and post office giro institutions. Additionally, Member States have the discretion to exclude certain entities under Directive 2013/36/EU, provided they notify the European Commission, which will make this information publicly available.

This article ensures that DORA targets entities critical to the financial sector's digital resilience while allowing flexibility for Member States to tailor its application to their specific needs. By clearly defining its scope, Article 2 aims to foster a consistent and robust framework for digital operational resilience across the EU financial sector, safeguarding its stability and security against ICT-related risks.