Article 2 Digital Operational Resilience Act (DORA), Personal Scope

Article 2 of the Digital Operational Resilience Act (DORA) defines the Personal Scope of the regulation, specifying which entities and individuals are subject to its provisions. This section is crucial for delineating the reach of DORA, ensuring that financial institutions, including banks, insurance companies, and investment firms, as well as relevant third parties, are clearly identified. By outlining who must comply with DORA, Article 2 establishes a framework for enforcing digital resilience standards and safeguarding against ICT-related disruptions and cyber threats, thereby enhancing the overall stability and security of the financial sector.

Scope of Financial Entities Under DORA

The Regulation applies to a wide array of entities within the financial sector, collectively known as ‘financial entities’. These include:

• Credit Institutions: These are banks and similar entities that accept deposits and provide loans. They play a crucial role in the financial system by facilitating transactions and offering credit to individuals and businesses.

• Payment Institutions: These institutions provide services related to the transfer of funds between parties. They facilitate transactions such as payments and money transfers but do not necessarily accept deposits like banks.

• Electronic Money Institutions: These institutions issue electronic money, which is a digital representation of fiat currency stored electronically. They facilitate electronic transactions and are often involved in online payments.

• Investment Firms: Firms that offer investment services, such as managing investments, providing financial advice, or executing trades on behalf of clients. They include brokers, asset managers, and investment advisors.

• Companies Offering Cryptoasset Services: These companies are involved in the provision of services related to cryptocurrencies and digital tokens. They may offer trading, custody, or advisory services for digital assets.

• Issuers of Asset-Referenced Tokens and Significant Tokens: These entities issue digital tokens that are backed by assets or have significant economic value. Asset-referenced tokens are linked to a specific asset or a basket of assets, while significant tokens are deemed important due to their widespread use or impact.

• Central Securities Depositories (CSDs): Institutions that hold and manage securities, such as stocks and bonds, on behalf of investors. They facilitate the transfer and settlement of securities transactions.

• Central Counterparties (CCPs): Entities that act as intermediaries in financial transactions, particularly in derivatives and securities markets. They assume the counterparty risk, ensuring that trades are completed even if one party defaults.

• Trading Venues: Platforms where financial instruments are bought and sold, including stock exchanges and electronic trading systems. They facilitate the trading of securities, commodities, and other financial products.

• Trade Repositories: Entities that collect and maintain data on derivatives trades. They provide transparency to financial markets by storing information on trades and making it available to regulators.

• Managers of Alternative Investment Funds (AIFs): Firms that manage funds which invest in assets outside traditional stocks and bonds, such as private equity, hedge funds, or real estate.

• Management Companies: Firms that manage investment funds or portfolios on behalf of investors. They handle the day-to-day operations and decision-making for the funds they manage.

• Data Reporting Service Providers (DRSPs): Entities that provide services related to the reporting of financial data, ensuring compliance with regulatory requirements and enhancing transparency in financial markets.

• Insurance and Reinsurance Undertakings: Companies that provide insurance coverage to protect against risks and uncertainties. Reinsurance undertakings offer insurance to insurance companies, helping them manage risk exposure.

• Insurance Intermediaries, Reinsurance Intermediaries, and Ancillary Insurance Intermediaries: Intermediaries that facilitate the sale of insurance and reinsurance products. They include brokers, agents, and other entities involved in the distribution of insurance products.

• Institutions for Occupational Retirement Pensions: Organizations that manage pension schemes for employees, providing retirement benefits and ensuring the proper management of pension funds.

• Credit Rating Agencies: Agencies that assess the creditworthiness of issuers of debt securities and financial instruments. Their ratings influence the borrowing costs and investment decisions of market participants.

• Statutory Auditors and Audit Firms: Professionals and firms that provide auditing services, ensuring that financial statements are accurate and comply with accounting standards and regulations.

• Administrators of Critical Benchmarks: Entities that manage and publish financial benchmarks used as reference points for financial contracts, such as interest rates or commodity prices. Their role is crucial in maintaining the integrity of financial markets.

• Crowdfunding Service Providers: Platforms that facilitate the raising of funds for projects or ventures from a large number of people, typically through online platforms.

• Securitisation Repositories: Entities that collect and maintain data on securitisation transactions, ensuring transparency and compliance with regulatory requirements.

• ICT Third-Party Service Providers: Companies that provide information and communication technology services to financial entities, such as cloud computing, data storage, or cybersecurity solutions.

The entities listed above are collectively called ‘financial entities’ under this Regulation.

To guarantee the security and resilience of the network and information systems that underpin the business operations of financial companies, the Digital Operational Resilience Act (DORA) lays forth extensive standards. The rule covers a broad range of financial service providers, from more established firms like credit and payment providers to more recent entrants like crowdfunding websites and suppliers of services for digital assets.

Key to this scope is the inclusion of ICT third-party service providers, reflecting the critical role of outsourced IT services in supporting financial operations. By encompassing these entities under a unified regulatory framework, DORA seeks to establish consistent standards for ICT risk management, incident reporting, resilience testing, and oversight across the financial sector.

This broad applicability ensures that all significant actors within the financial ecosystem adhere to robust cybersecurity measures, thereby enhancing overall financial stability, protecting consumer interests, and fostering trust in financial markets.