Question 1

Does my entity fall under DORA?

Accepted Answer

DORA (EU Regulation 2022/2554) applies to 21 categories of financial entities listed in Article 2(1)(a)-(t), plus ICT third-party service providers (Article 2(1)(u)). It covers credit institutions, investment firms, insurance undertakings, payment institutions, crypto-asset service providers, and more. Use this free assessment tool to check your scope.

Question 2

What is the difference between full and simplified DORA framework?

Accepted Answer

The full DORA framework applies to most financial entities, covering all 6 pillars: ICT risk management, incident reporting, digital operational resilience testing (including TLPT), ICT third-party risk, information sharing, and governance. The simplified framework (Article 16) applies to 5 specific categories of smaller entities, with proportionate requirements and no TLPT obligation.

Question 3

When does DORA apply?

Accepted Answer

DORA (Regulation (EU) 2022/2554) entered into force on 16 January 2023 and applies from 17 January 2025. All in-scope financial entities and ICT third-party service providers must comply from this date.

DORA
Scope Assessment

Scope Assessment

Framework Tier

Obligations & Deadlines

TLPT & NIS2

DORAScope Assessment

Scope Assessment

Framework Tier

Obligations & Deadlines

TLPT & NIS2

DORA Scope Assessment

DORA
Scope Assessment