{ "metadata": { "title": "DORA — Scope Assessment Tool", "version": "1.0.0", "date": "2026-03-07", "sources": [ "Regulation (EU) 2022/2554 (DORA)", "Commission Delegated Regulation (EU) 2024/1774 (RTS ICT Risk Management)", "Commission Delegated Regulation (EU) 2024/1772 (RTS Incident Classification)", "Commission Delegated Regulation (EU) 2024/1773 (RTS Third-Party Policy)", "Commission Implementing Regulation (EU) 2024/1771 (ITS Incident Reporting)", "Commission Implementing Regulation (EU) 2024/2956 (ITS Register of Information)", "Commission Delegated Regulation (EU) 2025/301 (RTS Incident Reporting Content)", "Commission Implementing Regulation (EU) 2025/302 (ITS Incident Reporting Forms)", "Commission Delegated Regulation (EU) 2025/532 (RTS Subcontracting)", "Commission Delegated Regulation (EU) 2025/1190 (RTS TLPT)" ], "flow_stages": [ "S1: Jurisdiction", "S2: Sector & Entity Type", "S3: Exclusions", "S4: Size Assessment", "S5: Framework Classification", "S6: NIS2 Interaction", "S7: Result" ] }, "start_node": "j_010", "nodes": { "j_010": { "id": "j_010", "stage": "S1_JURISDICTION", "type": "question", "text": "Does your entity operate within the European Union or European Economic Area (EEA)?", "help": "DORA applies to financial entities authorised or registered in the EU/EEA, and to ICT third-party service providers serving them. The EEA includes all EU Member States plus Norway, Iceland, and Liechtenstein.", "legal_ref": "Art. 2", "edge_case": "Third-country branches: Branches of non-EU financial institutions operating in the EU under local authorisation may fall within DORA scope through their EU-authorised activities.", "options": [ { "id": "j_010_a", "label": "Yes, we are established/authorised in the EU/EEA", "value": "EU_EEA", "next": "s_010" }, { "id": "j_010_b", "label": "No, but we provide ICT services to EU/EEA financial entities", "description": "Non-EU ICT service providers may still fall under DORA if they serve EU/EEA financial entities.", "value": "ICT_NON_EU", "next": "s_010_ict" }, { "id": "j_010_c", "label": "No, we have no EU/EEA connection", "value": "NO_EU", "next": "r_out_jurisdiction" } ] }, "s_010": { "id": "s_010", "stage": "S2_SECTOR", "type": "question", "text": "In which financial sector does your entity primarily operate?", "help": "Select the sector that best describes your entity's main regulated activity. If you operate across multiple sectors, assess each one separately.", "legal_ref": "Art. 2(1)", "edge_case": "Entities with multiple authorisations should apply DORA based on their primary/most demanding authorisation.", "options": [ { "id": "s_010_a", "label": "Banking & Credit", "value": "BANKING", "next": "s_020_banking" }, { "id": "s_010_b", "label": "Payment Services & Electronic Money", "value": "PAYMENT", "next": "s_020_payment" }, { "id": "s_010_c", "label": "Investment Services & Securities", "value": "INVESTMENT", "next": "s_020_investment" }, { "id": "s_010_d", "label": "Insurance & Pensions", "value": "INSURANCE", "next": "s_020_insurance" }, { "id": "s_010_e", "label": "Market Infrastructure", "value": "MARKET_INFRA", "next": "s_020_infra" }, { "id": "s_010_f", "label": "Crypto-Assets", "value": "CRYPTO", "next": "s_020_crypto" }, { "id": "s_010_g", "label": "ICT Service Provider to Financial Entities", "value": "ICT_PROVIDER", "next": "s_020_ict" }, { "id": "s_010_h", "label": "None of the above", "value": "NONE", "next": "r_out_not_financial" } ] }, "s_010_ict": { "id": "s_010_ict", "stage": "S2_SECTOR", "type": "question", "text": "Do you provide ICT services to financial entities in the EU/EEA?", "help": "ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service. This excludes traditional analogue telephone services (DORA Art. 3(21)).", "legal_ref": "Art. 3(21)", "options": [ { "id": "s_010_ict_a", "label": "Yes, we provide ICT services to financial entities", "value": "ICT_YES", "next": "ict_010" }, { "id": "s_010_ict_b", "label": "No", "value": "ICT_NO", "next": "r_out_not_financial" }, { "id": "s_010_ict_c", "label": "I'm not sure", "value": "ICT_UNSURE", "next": "r_consult_ict" } ] }, "s_020_banking": { "id": "s_020_banking", "stage": "S2_SECTOR", "type": "question", "text": "What type of banking or credit entity are you?", "help": "Select the option that best matches your entity's authorisation.", "legal_ref": "Art. 2(1)(a)", "options": [ { "id": "s_020_banking_a", "label": "Credit institution (bank)", "description": "As defined in Regulation (EU) No 575/2013 (CRR), Art. 4(1)(1)", "legal_ref": "Art. 2(1)(a)", "value": "CREDIT_INST", "next": "x_010_credit" }, { "id": "s_020_banking_b", "label": "I'm not sure / Other", "value": "UNSURE", "next": "r_consult_banking" } ] }, "s_020_payment": { "id": "s_020_payment", "stage": "S2_SECTOR", "type": "question", "text": "What type of payment services or electronic money entity are you?", "help": "Select the option that best matches your entity's authorisation or registration.", "legal_ref": "Art. 2(1)(b)-(d)", "edge_case": "Payment-related incidents: Payment service providers must report both under DORA (Art. 19) and PSD2 (Art. 96). DORA incident reporting obligations exist alongside (not replace) PSD2 requirements for payment-related incidents.", "options": [ { "id": "s_020_payment_a", "label": "Payment institution", "description": "As defined in Directive (EU) 2015/2366 (PSD2)", "legal_ref": "Art. 2(1)(b)", "value": "PAYMENT_INST", "next": "x_010_payment" }, { "id": "s_020_payment_b", "label": "Account information service provider", "description": "As defined in Directive (EU) 2015/2366 (PSD2)", "legal_ref": "Art. 2(1)(c)", "value": "AISP", "next": "sz_010" }, { "id": "s_020_payment_c", "label": "Electronic money institution", "description": "As defined in Directive 2009/110/EC (EMD2)", "legal_ref": "Art. 2(1)(d)", "value": "EMONEY_INST", "next": "x_010_emoney" }, { "id": "s_020_payment_d", "label": "I'm not sure / Other", "value": "UNSURE", "next": "r_consult_payment" } ] }, "s_020_investment": { "id": "s_020_investment", "stage": "S2_SECTOR", "type": "question", "text": "What type of investment or securities entity are you?", "help": "Select the option that best matches your entity's authorisation.", "legal_ref": "Art. 2(1)(e),(k)-(m),(s)", "options": [ { "id": "s_020_investment_a", "label": "Investment firm", "description": "As defined in Directive 2014/65/EU (MiFID II)", "legal_ref": "Art. 2(1)(e)", "value": "INVEST_FIRM", "next": "x_010_invest" }, { "id": "s_020_investment_b", "label": "Manager of alternative investment funds (AIFM)", "description": "As defined in Directive 2011/61/EU (AIFMD)", "legal_ref": "Art. 2(1)(k)", "value": "AIFM", "next": "x_010_aifm" }, { "id": "s_020_investment_c", "label": "UCITS management company", "description": "As defined in Directive 2009/65/EC (UCITS)", "legal_ref": "Art. 2(1)(l)", "value": "UCITS_MGMT", "next": "sz_010" }, { "id": "s_020_investment_d", "label": "Data reporting service provider", "description": "As defined in Regulation (EU) No 600/2014 (MiFIR)", "legal_ref": "Art. 2(1)(m)", "value": "DRSP", "next": "sz_010" }, { "id": "s_020_investment_e", "label": "Crowdfunding service provider", "description": "As defined in Regulation (EU) 2020/1503", "legal_ref": "Art. 2(1)(s)", "value": "CROWDFUND", "next": "sz_010" }, { "id": "s_020_investment_f", "label": "I'm not sure / Other", "value": "UNSURE", "next": "r_consult_investment" } ] }, "s_020_insurance": { "id": "s_020_insurance", "stage": "S2_SECTOR", "type": "question", "text": "What type of insurance or pension entity are you?", "help": "Select the option that best matches your entity's authorisation or registration.", "legal_ref": "Art. 2(1)(n)-(p)", "options": [ { "id": "s_020_insurance_a", "label": "Insurance or reinsurance undertaking", "description": "As defined in Directive 2009/138/EC (Solvency II)", "legal_ref": "Art. 2(1)(n)", "value": "INSUR_UNDER", "next": "x_010_insurance" }, { "id": "s_020_insurance_b", "label": "Insurance, reinsurance, or ancillary insurance intermediary", "description": "As defined in Directive (EU) 2016/97 (IDD)", "legal_ref": "Art. 2(1)(o)", "value": "INSUR_INTER", "next": "x_010_intermediary" }, { "id": "s_020_insurance_c", "label": "Institution for occupational retirement provision (IORP)", "description": "As defined in Directive (EU) 2016/2341 (IORPs II)", "legal_ref": "Art. 2(1)(p)", "value": "IORP", "next": "x_010_iorp" }, { "id": "s_020_insurance_d", "label": "I'm not sure / Other", "value": "UNSURE", "next": "r_consult_insurance" } ] }, "s_020_infra": { "id": "s_020_infra", "stage": "S2_SECTOR", "type": "question", "text": "What type of market infrastructure entity are you?", "help": "Select the option that best matches your entity's authorisation. Note: CSDs, CCPs, trading venues, and trade repositories cannot qualify as microenterprises regardless of size (Art. 3(60)).", "legal_ref": "Art. 2(1)(g)-(j),(q)-(r),(t)", "edge_case": "CSDs, CCPs, trading venues, and trade repositories cannot qualify as microenterprises regardless of size (Art. 3(60)).", "options": [ { "id": "s_020_infra_a", "label": "Central securities depository (CSD)", "description": "As defined in Regulation (EU) No 909/2014 (CSDR)", "legal_ref": "Art. 2(1)(g)", "value": "CSD", "next": "sz_010" }, { "id": "s_020_infra_b", "label": "Central counterparty (CCP)", "description": "As defined in Regulation (EU) No 648/2012 (EMIR)", "legal_ref": "Art. 2(1)(h)", "value": "CCP", "next": "sz_010" }, { "id": "s_020_infra_c", "label": "Trading venue (regulated market, MTF, OTF)", "description": "As defined in Directive 2014/65/EU (MiFID II)", "legal_ref": "Art. 2(1)(i)", "value": "TRADING_VENUE", "next": "sz_010" }, { "id": "s_020_infra_d", "label": "Trade repository", "description": "As defined in Regulation (EU) No 648/2012 (EMIR)", "legal_ref": "Art. 2(1)(j)", "value": "TRADE_REPO", "next": "sz_010" }, { "id": "s_020_infra_e", "label": "Credit rating agency", "description": "As defined in Regulation (EC) No 1060/2009", "legal_ref": "Art. 2(1)(q)", "value": "CRA", "next": "sz_010" }, { "id": "s_020_infra_f", "label": "Administrator of critical benchmarks", "description": "As defined in Regulation (EU) 2016/1011", "legal_ref": "Art. 2(1)(r)", "value": "BENCHMARK", "next": "sz_010" }, { "id": "s_020_infra_g", "label": "Securitisation repository", "description": "As defined in Regulation (EU) 2017/2402", "legal_ref": "Art. 2(1)(t)", "value": "SECURIT_REPO", "next": "sz_010" }, { "id": "s_020_infra_h", "label": "I'm not sure / Other", "value": "UNSURE", "next": "r_consult_infra" } ] }, "s_020_crypto": { "id": "s_020_crypto", "stage": "S2_SECTOR", "type": "question", "text": "What type of crypto-asset entity are you?", "help": "Select the option that best matches your entity's authorisation under MiCA.", "legal_ref": "Art. 2(1)(f)", "options": [ { "id": "s_020_crypto_a", "label": "Crypto-asset service provider authorised under MiCA", "description": "As defined in MiCA Regulation", "legal_ref": "Art. 2(1)(f)", "value": "CRYPTO_CASP", "next": "sz_010" }, { "id": "s_020_crypto_b", "label": "Issuer of asset-referenced tokens", "description": "As defined in MiCA Regulation", "legal_ref": "Art. 2(1)(f)", "value": "CRYPTO_ART", "next": "sz_010" }, { "id": "s_020_crypto_c", "label": "I'm not sure / Other", "value": "UNSURE", "next": "r_consult_crypto" } ] }, "s_020_ict": { "id": "s_020_ict", "stage": "S2_SECTOR", "type": "question", "text": "Do you provide ICT services to financial entities in the EU/EEA?", "help": "ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service. This excludes traditional analogue telephone services (DORA Art. 3(21)).", "legal_ref": "Art. 3(21)", "options": [ { "id": "s_020_ict_a", "label": "Yes, we provide ICT services to financial entities", "value": "ICT_YES", "next": "ict_010" }, { "id": "s_020_ict_b", "label": "No", "value": "ICT_NO", "next": "r_out_not_financial" }, { "id": "s_020_ict_c", "label": "I'm not sure", "value": "ICT_UNSURE", "next": "r_consult_ict" } ] }, "ict_010": { "id": "ict_010", "stage": "S2_SECTOR", "type": "question", "text": "Are you an intra-group ICT service provider (providing services predominantly within your own financial group)?", "help": "An ICT intra-group service provider is part of a financial group and provides predominantly ICT services to entities within the same group or institutional protection scheme (DORA Art. 3(20)).", "legal_ref": "Art. 3(20)", "options": [ { "id": "ict_010_a", "label": "Yes, we are an intra-group provider", "value": "INTRAGROUP", "next": "r_ict_intragroup" }, { "id": "ict_010_b", "label": "No, we are an independent/external provider", "value": "EXTERNAL", "next": "ict_020" } ] }, "ict_020": { "id": "ict_020", "stage": "S2_SECTOR", "type": "question", "text": "How many financial entities in the EU rely on your ICT services for critical or important functions?", "help": "A critical or important function is one whose disruption would materially impair the financial performance, soundness, or regulatory compliance of the financial entity (DORA Art. 3(22)).", "legal_ref": "Art. 31(2)", "edge_case": "ICT third-party providers serving financial entities in only one Member State may still be designated as critical (CTPP) if the financial entities they serve are significant. Voluntary CTPP designation is also possible under Art. 31(11).", "options": [ { "id": "ict_020_a", "label": "Many (significant market share, including G-SIIs/O-SIIs)", "value": "MANY_CRITICAL", "next": "ict_030" }, { "id": "ict_020_b", "label": "Some (a few financial entities, not systemically important)", "value": "SOME", "next": "r_ict_provider" }, { "id": "ict_020_c", "label": "Few or unknown", "value": "FEW", "next": "r_ict_provider" } ] }, "ict_030": { "id": "ict_030", "stage": "S2_SECTOR", "type": "question", "text": "How easily could your financial entity clients switch to an alternative provider?", "help": "The ESAs consider substitutability when designating Critical Third-Party Providers (CTPPs). Factors include: market concentration, proprietary technology, migration complexity, and lack of real alternatives (DORA Art. 31(2)(d)).", "legal_ref": "Art. 31(2)(d)", "options": [ { "id": "ict_030_a", "label": "Difficult (proprietary technology, high switching costs, few alternatives)", "value": "LOW_SUBST", "next": "r_ict_ctpp_likely" }, { "id": "ict_030_b", "label": "Moderate", "value": "MED_SUBST", "next": "r_ict_ctpp_possible" }, { "id": "ict_030_c", "label": "Easy (commodity services, many alternatives)", "value": "HIGH_SUBST", "next": "r_ict_provider" } ] }, "x_010_credit": { "id": "x_010_credit", "stage": "S3_EXCLUSIONS", "type": "question", "text": "Is your entity a post office giro institution as referred to in Article 2(5), point (3), of Directive 2013/36/EU?", "help": "Post office giro institutions are specifically excluded from DORA under Art. 2(3)(f).", "legal_ref": "Art. 2(3)(f)", "options": [ { "id": "x_010_credit_a", "label": "Yes", "value": "POST_OFFICE", "next": "r_out_excluded_post" }, { "id": "x_010_credit_b", "label": "No", "value": "NOT_POST", "next": "x_020_credit" }, { "id": "x_010_credit_c", "label": "I'm not sure", "value": "UNSURE", "next": "x_020_credit" } ] }, "x_020_credit": { "id": "x_020_credit", "stage": "S3_EXCLUSIONS", "type": "question", "text": "Is your entity one of the types listed in Article 2(5), points (4) to (23), of Directive 2013/36/EU (e.g., certain promotional banks, public bodies)?", "help": "These are specific entity types that Member States may choose to treat differently under banking regulation. Examples include promotional banks, certain public sector bodies, and specific national entities listed in CRD IV.", "legal_ref": "Art. 2(4)", "options": [ { "id": "x_020_credit_a", "label": "Yes", "value": "CRD_EXEMPT", "next": "x_030_credit" }, { "id": "x_020_credit_b", "label": "No", "value": "NOT_CRD_EXEMPT", "next": "sz_010" }, { "id": "x_020_credit_c", "label": "I'm not sure", "value": "UNSURE", "flag": "CONSULT_CRD_STATUS", "next": "sz_010" } ] }, "x_030_credit": { "id": "x_030_credit", "stage": "S3_EXCLUSIONS", "type": "question", "text": "Has your Member State exercised the DORA Art. 2(4) discretionary exclusion for your entity type?", "help": "Some Member States may choose to exclude certain CRD Art. 2(5)(4)-(23) entities from DORA scope entirely. This is a national decision — check with your national competent authority. If your Member State has NOT excluded you, you remain in scope but qualify for the simplified ICT risk management framework (Art. 16).", "legal_ref": "Art. 2(4)", "edge_case": "CRD-exempted institutions that are NOT excluded by their Member State qualify for the simplified framework (Art. 16) rather than the full framework.", "options": [ { "id": "x_030_credit_a", "label": "Yes, my Member State has excluded my entity type", "value": "MS_EXCLUDED", "next": "r_out_excluded_ms" }, { "id": "x_030_credit_b", "label": "No, my Member State has NOT excluded my entity type", "value": "MS_NOT_EXCLUDED", "flag": "SIMPLIFIED_ELIGIBLE", "next": "sz_010" }, { "id": "x_030_credit_c", "label": "I'm not sure", "value": "UNSURE", "flag": "CONSULT_MS_EXCLUSION,SIMPLIFIED_ELIGIBLE", "next": "sz_010" } ] }, "x_010_invest": { "id": "x_010_invest", "stage": "S3_EXCLUSIONS", "type": "question", "text": "Is your entity exempted from MiFID II under Articles 2 or 3 of Directive 2014/65/EU?", "help": "Exempted entities include: persons dealing on own account (not market makers), commodity dealers meeting specific conditions, local firms, and other categories listed in MiFID II Art. 2.", "legal_ref": "Art. 2(3)(d)", "options": [ { "id": "x_010_invest_a", "label": "Yes, we are exempted under MiFID II Art. 2 or 3", "value": "MIFID_EXEMPT", "next": "r_out_excluded_mifid" }, { "id": "x_010_invest_b", "label": "No, we hold a MiFID II authorisation", "value": "NOT_EXEMPT", "next": "x_020_invest" }, { "id": "x_010_invest_c", "label": "I'm not sure", "value": "UNSURE", "flag": "CONSULT_MIFID_EXEMPTION", "next": "x_020_invest" } ] }, "x_020_invest": { "id": "x_020_invest", "stage": "S3_EXCLUSIONS", "type": "question", "text": "Is your entity classified as a 'small and non-interconnected investment firm' under Article 12(1) of Regulation (EU) 2019/2033 (IFR)?", "help": "Small and non-interconnected firms meet specific thresholds under the IFR: AUM < EUR 1.2B, client orders handled < EUR 100M/day (cash) or EUR 1B/day (derivatives), balance sheet < EUR 100M, gross revenue < EUR 30M, etc.", "legal_ref": "Art. 16(1)", "options": [ { "id": "x_020_invest_a", "label": "Yes", "value": "SMALL_NI", "flag": "SIMPLIFIED_ELIGIBLE", "next": "sz_010" }, { "id": "x_020_invest_b", "label": "No", "value": "NOT_SMALL_NI", "next": "sz_010" }, { "id": "x_020_invest_c", "label": "I'm not sure", "value": "UNSURE", "flag": "CONSULT_SMALL_NI", "next": "sz_010" } ] }, "x_010_aifm": { "id": "x_010_aifm", "stage": "S3_EXCLUSIONS", "type": "question", "text": "Is your entity a below-threshold AIFM that benefits from the registration-only regime under Article 3(2) of Directive 2011/61/EU (AIFMD)?", "help": "Below-threshold AIFMs manage portfolios of AIFs below EUR 100M (with leverage) or EUR 500M (without leverage and no redemption rights for 5 years).", "legal_ref": "Art. 2(3)(a)", "options": [ { "id": "x_010_aifm_a", "label": "Yes, we are a below-threshold / registered-only AIFM", "value": "BELOW_THRESHOLD", "next": "r_out_excluded_aifm" }, { "id": "x_010_aifm_b", "label": "No, we are a fully authorised AIFM", "value": "AUTHORISED", "next": "sz_010" }, { "id": "x_010_aifm_c", "label": "I'm not sure", "value": "UNSURE", "flag": "CONSULT_AIFM_THRESHOLD", "next": "sz_010" } ] }, "x_010_insurance": { "id": "x_010_insurance", "stage": "S3_EXCLUSIONS", "type": "question", "text": "Is your entity below the Solvency II thresholds set out in Article 4 of Directive 2009/138/EC?", "help": "Article 4 of Solvency II allows exclusion for small insurance undertakings below specific thresholds for gross written premium income, technical provisions, and other criteria.", "legal_ref": "Art. 2(3)(b)", "options": [ { "id": "x_010_insurance_a", "label": "Yes, we are below Solvency II thresholds", "value": "BELOW_SOLVENCY", "next": "r_out_excluded_insurance" }, { "id": "x_010_insurance_b", "label": "No, we are a Solvency II-regulated entity", "value": "ABOVE_SOLVENCY", "next": "sz_010" }, { "id": "x_010_insurance_c", "label": "I'm not sure", "value": "UNSURE", "flag": "CONSULT_SOLVENCY_THRESHOLD", "next": "sz_010" } ] }, "x_010_intermediary": { "id": "x_010_intermediary", "stage": "S3_EXCLUSIONS", "type": "question", "text": "Is your entity a microenterprise or an SME?", "help": "For this exclusion, an SME means: fewer than 250 employees AND annual turnover not exceeding EUR 50 million or balance sheet total not exceeding EUR 43 million. Insurance/reinsurance/ancillary intermediaries that are micro or SME are excluded from DORA (Art. 2(3)(e)).", "legal_ref": "Art. 2(3)(e)", "options": [ { "id": "x_010_intermediary_a", "label": "Yes, fewer than 250 employees AND (turnover ≤ EUR 50M or balance sheet ≤ EUR 43M)", "value": "SME", "next": "r_out_excluded_intermediary" }, { "id": "x_010_intermediary_b", "label": "No, we exceed SME thresholds", "value": "NOT_SME", "next": "sz_010" }, { "id": "x_010_intermediary_c", "label": "I'm not sure", "value": "UNSURE", "flag": "CONSULT_SME_STATUS", "next": "sz_010" } ] }, "x_010_iorp": { "id": "x_010_iorp", "stage": "S3_EXCLUSIONS", "type": "question", "text": "How many members does your pension scheme cover in total?", "help": "IORPs with 15 or fewer members are excluded from DORA entirely (Art. 2(3)(c)). IORPs with 16-99 members are in scope but qualify for the simplified framework (Art. 16(1)). IORPs with 100 or more members face the full framework.", "legal_ref": "Art. 2(3)(c), Art. 16(1)", "edge_case": "Transitional provision: Some IORPs may currently benefit from Member State exclusions but could be brought within DORA scope as the regulatory framework evolves. Monitor your national competent authority's position.", "options": [ { "id": "x_010_iorp_a", "label": "15 or fewer members", "value": "IORP_15", "next": "r_out_excluded_iorp" }, { "id": "x_010_iorp_b", "label": "16 to 99 members", "value": "IORP_99", "flag": "SIMPLIFIED_ELIGIBLE", "next": "sz_010" }, { "id": "x_010_iorp_c", "label": "100 or more members", "value": "IORP_100", "next": "sz_010" } ] }, "x_010_payment": { "id": "x_010_payment", "stage": "S3_EXCLUSIONS", "type": "question", "text": "Is your entity exempted from PSD2 under Article 32(1) of Directive (EU) 2015/2366?", "help": "Exempted payment institutions include those with average monthly payment transactions below EUR 3 million, operating under a national waiver. PSD2-exempted payment institutions are NOT excluded from DORA — they remain in scope but qualify for the simplified framework (Art. 16(1)).", "legal_ref": "Art. 16(1)", "options": [ { "id": "x_010_payment_a", "label": "Yes, we are exempted under PSD2", "value": "PSD2_EXEMPT", "flag": "SIMPLIFIED_ELIGIBLE", "next": "sz_010" }, { "id": "x_010_payment_b", "label": "No, we hold a full PSD2 authorisation", "value": "PSD2_FULL", "next": "sz_010" }, { "id": "x_010_payment_c", "label": "I'm not sure", "value": "UNSURE", "flag": "CONSULT_PSD2_EXEMPTION", "next": "sz_010" } ] }, "x_010_emoney": { "id": "x_010_emoney", "stage": "S3_EXCLUSIONS", "type": "question", "text": "Is your entity exempted from EMD2 under Article 9(1) of Directive 2009/110/EC?", "help": "Exempted e-money institutions typically have outstanding e-money below EUR 5 million. EMD2-exempted e-money institutions are NOT excluded from DORA — they qualify for the simplified framework (Art. 16(1)).", "legal_ref": "Art. 16(1)", "options": [ { "id": "x_010_emoney_a", "label": "Yes, we are exempted under EMD2", "value": "EMD2_EXEMPT", "flag": "SIMPLIFIED_ELIGIBLE", "next": "sz_010" }, { "id": "x_010_emoney_b", "label": "No, we hold a full EMD2 authorisation", "value": "EMD2_FULL", "next": "sz_010" }, { "id": "x_010_emoney_c", "label": "I'm not sure", "value": "UNSURE", "flag": "CONSULT_EMD2_EXEMPTION", "next": "sz_010" } ] }, "sz_010": { "id": "sz_010", "stage": "S4_SIZE", "type": "question", "text": "How many people does your entity employ (full-time equivalent)?", "help": "This information is used to determine whether your entity qualifies as a microenterprise under DORA Art. 3(60), which provides proportionality benefits.", "legal_ref": "Art. 3(60)", "edge_case": "For group-level DORA application: where a financial entity belongs to a group, the parent undertaking must ensure group-wide ICT risk management. Size assessment may need to consider the consolidated group level.", "options": [ { "id": "sz_010_a", "label": "Fewer than 10", "value": "FTE_UNDER_10", "next": "sz_020" }, { "id": "sz_010_b", "label": "10 to 249", "value": "FTE_10_249", "next": "sz_020" }, { "id": "sz_010_c", "label": "250 or more", "value": "FTE_250_PLUS", "next": "sz_020" } ] }, "sz_020": { "id": "sz_020", "stage": "S4_SIZE", "type": "question", "text": "What is your entity's annual turnover?", "help": "Used together with employee count and balance sheet to determine microenterprise status and general size category.", "legal_ref": "Art. 3(60)", "options": [ { "id": "sz_020_a", "label": "EUR 2 million or less", "value": "TO_UNDER_2M", "next": "sz_030" }, { "id": "sz_020_b", "label": "More than EUR 2M, up to EUR 50M", "value": "TO_2M_50M", "next": "sz_030" }, { "id": "sz_020_c", "label": "More than EUR 50 million", "value": "TO_OVER_50M", "next": "sz_030" } ] }, "sz_030": { "id": "sz_030", "stage": "S4_SIZE", "type": "question", "text": "What is your entity's annual balance sheet total?", "help": "Used together with employee count and turnover to determine microenterprise status and general size category.", "legal_ref": "Art. 3(60)", "options": [ { "id": "sz_030_a", "label": "EUR 2 million or less", "value": "BS_UNDER_2M", "next": "sz_result" }, { "id": "sz_030_b", "label": "More than EUR 2M, up to EUR 43M", "value": "BS_2M_43M", "next": "sz_result" }, { "id": "sz_030_c", "label": "More than EUR 43 million", "value": "BS_OVER_43M", "next": "sz_result" } ] }, "sz_result": { "id": "sz_result", "stage": "S4_SIZE", "type": "computed", "description": "Size classification based on headcount, turnover, and balance sheet", "logic": { "microenterprise": "FTE < 10 AND (turnover <= 2M OR balance_sheet <= 2M), BUT NOT for CSD/CCP/Trading Venue/Trade Repo (Art. 3(60))", "microenterprise_note": "Art. 3(60) references 'microenterprise' as defined in Article 2 of the Annex to Commission Recommendation 2003/361/EC, which uses 'and/or' for the financial thresholds (turnover and/or balance sheet total). This tool applies the more generous OR interpretation (i.e., meeting EITHER the turnover OR balance sheet threshold is sufficient), consistent with standard EU practice for the SME Recommendation definition.", "micro_ineligible_types": [ "CSD", "CCP", "TRADING_VENUE", "TRADE_REPO" ], "size_categories": { "LARGE": "FTE >= 250 OR (turnover > 50M AND balance_sheet > 43M)", "MEDIUM": "FTE >= 50 OR (turnover >= 10M AND balance_sheet >= 10M)", "SMALL": "FTE >= 10 OR (turnover > 2M AND balance_sheet > 2M)", "MICRO": "FTE < 10 AND (turnover <= 2M OR balance_sheet <= 2M)" }, "next": "fw_result" } }, "fw_result": { "id": "fw_result", "stage": "S5_FRAMEWORK", "type": "computed", "description": "Framework classification based on entity type, size, and exclusion flags", "logic": { "simplified_framework": "SIMPLIFIED_ELIGIBLE flag is set (small non-interconnected investment firms, PSD2-exempted payment institutions, EMD2-exempted e-money institutions, IORPs 16-99 members, CRD-exempted institutions where MS did not exclude)", "tlpt_exclusion": "simplified == true OR microenterprise == true => TLPT excluded (Art. 26(1))", "tlpt_likelihood": { "LIKELY": "CREDIT_INST/CSD/CCP/TRADING_VENUE and LARGE/MEDIUM size", "POSSIBLE": "INSUR_UNDER/PAYMENT_INST/EMONEY_INST and LARGE size", "UNLIKELY": "All other combinations", "EXCLUDED": "simplified == true OR microenterprise == true" }, "result_mapping": { "simplified_and_micro": "r_in_scope_micro_simplified", "simplified_only": "r_in_scope_simplified", "micro_only": "r_in_scope_micro", "full": "r_in_scope_full" }, "next": "n_010" } }, "n_010": { "id": "n_010", "stage": "S6_NIS2", "type": "question", "text": "Is your entity also classified as an essential or important entity under the NIS2 Directive (EU) 2022/2555?", "help": "NIS2 applies to entities in sectors like energy, transport, banking, financial market infrastructure, health, digital infrastructure, and others. If your entity falls under both NIS2 and DORA, DORA takes precedence (lex specialis) in five specific areas.", "legal_ref": "Art. 1(2), NIS2 Art. 4", "edge_case": "Credit institutions and financial market infrastructure entities are NIS2 Annex I sectors and likely subject to NIS2 as well.", "options": [ { "id": "n_010_a", "label": "Yes", "value": "NIS2_YES", "flag": "NIS2_OVERLAP", "next": "fw_route" }, { "id": "n_010_b", "label": "No", "value": "NIS2_NO", "next": "fw_route" }, { "id": "n_010_c", "label": "I'm not sure", "value": "NIS2_UNSURE", "flag": "CONSULT_NIS2", "next": "fw_route" } ] }, "fw_route": { "id": "fw_route", "stage": "S6_NIS2", "type": "computed", "description": "Routes to the appropriate result node based on computed framework classification. The JavaScript engine reads sz_result and fw_result logic to determine which result node to display.", "logic": { "routes": { "IN_SCOPE_FULL": "r_in_scope_full", "IN_SCOPE_SIMPLIFIED": "r_in_scope_simplified", "IN_SCOPE_MICRO": "r_in_scope_micro", "IN_SCOPE_MICRO_SIMPLIFIED": "r_in_scope_micro_simplified" } } }, "r_out_jurisdiction": { "id": "r_out_jurisdiction", "stage": "RESULT", "type": "result", "scope_status": "OUT_OF_SCOPE", "title": "Not in scope of DORA", "summary": "DORA applies to entities operating in the EU/EEA. Your entity does not appear to fall within DORA's territorial scope.", "classification": null, "obligations": [], "deadlines": [], "sanctions": null, "legal_ref": "Art. 2", "notes": [ "This assessment is indicative. If your circumstances change, or if you are unsure, consult a legal expert.", "Even if not in scope of DORA, other regulations may apply (NIS2, GDPR, national cybersecurity laws).", "If you provide ICT services to EU/EEA financial entities, you may still be indirectly affected through contractual requirements." ], "next_steps": [ { "step": "Review other applicable regulations", "description": "Check whether NIS2, GDPR, or national cybersecurity laws apply to your entity" }, { "step": "Monitor regulatory developments", "description": "DORA's scope may evolve through delegated acts and national implementations" }, { "step": "Expert consultation", "description": "Consider engaging a DORA compliance specialist if your circumstances are complex", "url": "https://asphaliaconsulting.be/contact/" } ] }, "r_out_not_financial": { "id": "r_out_not_financial", "stage": "RESULT", "type": "result", "scope_status": "OUT_OF_SCOPE", "title": "Not a DORA-regulated entity", "summary": "Your entity does not appear to be one of the 21 entity types covered by DORA (Art. 2(1)(a)-(u)). DORA applies only to specific financial entities and ICT third-party service providers serving them.", "classification": null, "obligations": [], "deadlines": [], "sanctions": null, "legal_ref": "Art. 2(1)", "notes": [ "This assessment is indicative. If your circumstances change, or if you are unsure, consult a legal expert.", "Even if excluded from DORA, other regulations may apply (NIS2, GDPR, national cybersecurity laws).", "If you provide any digital or data services to financial entities, you may be considered an ICT third-party service provider." ], "next_steps": [ { "step": "Verify your entity classification", "description": "If you hold any financial authorisation or registration, re-run the assessment selecting the appropriate sector" }, { "step": "Check NIS2 applicability", "description": "Your entity may fall under NIS2 if it operates in a covered sector (energy, transport, health, digital infrastructure, etc.)", "url": "https://nis2.asphaliaconsulting.be" }, { "step": "Expert consultation", "description": "Consider engaging a compliance specialist if your entity's classification is unclear", "url": "https://asphaliaconsulting.be/contact/" } ] }, "r_out_excluded_post": { "id": "r_out_excluded_post", "stage": "RESULT", "type": "result", "scope_status": "OUT_OF_SCOPE", "title": "Excluded — Post office giro institution", "summary": "Post office giro institutions as referred to in Article 2(5), point (3), of Directive 2013/36/EU are excluded from DORA under Art. 2(3)(f).", "classification": null, "obligations": [], "deadlines": [], "sanctions": null, "legal_ref": "Art. 2(3)(f)", "notes": [ "This assessment is indicative. If your circumstances change, or if you are unsure, consult a legal expert.", "Even if excluded from DORA, other regulations may apply (NIS2, GDPR, national cybersecurity laws)." ], "next_steps": [ { "step": "Verify exclusion status", "description": "Confirm with your national competent authority that your entity qualifies as a post office giro institution under CRD Art. 2(5)(3)" }, { "step": "Expert consultation", "description": "Consider engaging a DORA compliance specialist if your classification is uncertain", "url": "https://asphaliaconsulting.be/contact/" } ] }, "r_out_excluded_ms": { "id": "r_out_excluded_ms", "stage": "RESULT", "type": "result", "scope_status": "OUT_OF_SCOPE", "title": "Excluded — Member State discretionary exclusion", "summary": "Your Member State has exercised the discretionary exclusion under DORA Art. 2(4) for entities referred to in Article 2(5), points (4) to (23), of Directive 2013/36/EU. Your entity is therefore excluded from DORA scope.", "classification": null, "obligations": [], "deadlines": [], "sanctions": null, "legal_ref": "Art. 2(4)", "notes": [ "This exclusion is a national decision. If your Member State reverses this decision, your entity would come into DORA scope.", "This assessment is indicative. If your circumstances change, or if you are unsure, consult a legal expert.", "Even if excluded from DORA, other regulations may apply (NIS2, GDPR, national cybersecurity laws)." ], "next_steps": [ { "step": "Monitor national implementation", "description": "Member States may change their Art. 2(4) exclusion decisions. Stay informed of regulatory developments." }, { "step": "Expert consultation", "description": "Consider engaging a DORA compliance specialist for confirmation", "url": "https://asphaliaconsulting.be/contact/" } ] }, "r_out_excluded_mifid": { "id": "r_out_excluded_mifid", "stage": "RESULT", "type": "result", "scope_status": "OUT_OF_SCOPE", "title": "Excluded — MiFID II exempted entity", "summary": "Entities exempted from MiFID II under Articles 2 or 3 of Directive 2014/65/EU are excluded from DORA under Art. 2(3)(d).", "classification": null, "obligations": [], "deadlines": [], "sanctions": null, "legal_ref": "Art. 2(3)(d)", "notes": [ "This assessment is indicative. If your circumstances change (e.g., you obtain a MiFID II authorisation), reassess your DORA status.", "Even if excluded from DORA, other regulations may apply (NIS2, GDPR, national cybersecurity laws)." ], "next_steps": [ { "step": "Verify MiFID II exemption", "description": "Confirm with your national competent authority that your entity is indeed exempted under MiFID II Art. 2 or 3" }, { "step": "Expert consultation", "description": "Consider engaging a DORA compliance specialist if your MiFID II status is uncertain", "url": "https://asphaliaconsulting.be/contact/" } ] }, "r_out_excluded_aifm": { "id": "r_out_excluded_aifm", "stage": "RESULT", "type": "result", "scope_status": "OUT_OF_SCOPE", "title": "Excluded — Below-threshold AIFM", "summary": "Below-threshold AIFMs under AIFMD Art. 3(2) are excluded from DORA (Art. 2(3)(a)). These are AIFMs managing portfolios below EUR 100M (with leverage) or EUR 500M (without leverage and no redemption rights for 5 years).", "classification": null, "obligations": [], "deadlines": [], "sanctions": null, "legal_ref": "Art. 2(3)(a)", "notes": [ "If your AIF portfolio grows above the thresholds and you obtain full AIFMD authorisation, you would come into DORA scope.", "This assessment is indicative. If your circumstances change, or if you are unsure, consult a legal expert.", "Even if excluded from DORA, other regulations may apply (NIS2, GDPR, national cybersecurity laws)." ], "next_steps": [ { "step": "Monitor portfolio thresholds", "description": "If your AIF portfolio approaches the AIFMD thresholds, plan for potential DORA compliance" }, { "step": "Expert consultation", "description": "Consider engaging a DORA compliance specialist if your threshold status is uncertain", "url": "https://asphaliaconsulting.be/contact/" } ] }, "r_out_excluded_insurance": { "id": "r_out_excluded_insurance", "stage": "RESULT", "type": "result", "scope_status": "OUT_OF_SCOPE", "title": "Excluded — Below Solvency II thresholds", "summary": "Insurance and reinsurance undertakings below the Solvency II thresholds set out in Article 4 of Directive 2009/138/EC are excluded from DORA (Art. 2(3)(b)).", "classification": null, "obligations": [], "deadlines": [], "sanctions": null, "legal_ref": "Art. 2(3)(b)", "notes": [ "If your entity grows above the Solvency II thresholds, you would come into DORA scope.", "This assessment is indicative. If your circumstances change, or if you are unsure, consult a legal expert.", "Even if excluded from DORA, other regulations may apply (NIS2, GDPR, national cybersecurity laws)." ], "next_steps": [ { "step": "Monitor Solvency II thresholds", "description": "If your entity approaches the Solvency II Article 4 thresholds, plan for potential DORA compliance" }, { "step": "Expert consultation", "description": "Consider engaging a DORA compliance specialist if your Solvency II status is uncertain", "url": "https://asphaliaconsulting.be/contact/" } ] }, "r_out_excluded_intermediary": { "id": "r_out_excluded_intermediary", "stage": "RESULT", "type": "result", "scope_status": "OUT_OF_SCOPE", "title": "Excluded — SME insurance intermediary", "summary": "Insurance, reinsurance, and ancillary insurance intermediaries that are microenterprises or SMEs (fewer than 250 employees AND annual turnover not exceeding EUR 50 million or balance sheet total not exceeding EUR 43 million) are excluded from DORA (Art. 2(3)(e)).", "classification": null, "obligations": [], "deadlines": [], "sanctions": null, "legal_ref": "Art. 2(3)(e)", "notes": [ "If your entity grows beyond SME thresholds, you would come into DORA scope.", "This assessment is indicative. If your circumstances change, or if you are unsure, consult a legal expert.", "Even if excluded from DORA, other regulations may apply (NIS2, GDPR, IDD requirements, national cybersecurity laws)." ], "next_steps": [ { "step": "Monitor growth against SME thresholds", "description": "If your entity approaches 250 employees or exceeds both EUR 50M turnover and EUR 43M balance sheet, plan for DORA compliance" }, { "step": "Expert consultation", "description": "Consider engaging a DORA compliance specialist if your SME status is uncertain", "url": "https://asphaliaconsulting.be/contact/" } ] }, "r_out_excluded_iorp": { "id": "r_out_excluded_iorp", "stage": "RESULT", "type": "result", "scope_status": "OUT_OF_SCOPE", "title": "Excluded — IORP with 15 or fewer members", "summary": "Institutions for occupational retirement provision (IORPs) with 15 or fewer members in total are excluded from DORA (Art. 2(3)(c)).", "classification": null, "obligations": [], "deadlines": [], "sanctions": null, "legal_ref": "Art. 2(3)(c)", "notes": [ "If your pension scheme grows above 15 members, your entity would come into DORA scope.", "IORPs with 16-99 members qualify for the simplified framework (Art. 16). IORPs with 100+ members face the full framework.", "This assessment is indicative. If your circumstances change, or if you are unsure, consult a legal expert." ], "next_steps": [ { "step": "Monitor membership growth", "description": "If your pension scheme approaches or exceeds 15 members, plan for DORA compliance (simplified framework applies for 16-99 members)" }, { "step": "Expert consultation", "description": "Consider engaging a DORA compliance specialist for guidance", "url": "https://asphaliaconsulting.be/contact/" } ] }, "r_consult_banking": { "id": "r_consult_banking", "stage": "RESULT", "type": "result", "scope_status": "CONSULT_EXPERT", "title": "Expert consultation recommended — Banking sector", "summary": "We could not determine your entity's exact classification within the banking sector. We recommend consulting a DORA compliance specialist or your national competent authority for a definitive assessment.", "classification": null, "obligations": [], "deadlines": [], "sanctions": null, "legal_ref": "Art. 2(1)(a)", "notes": [ "DORA covers credit institutions as defined in Regulation (EU) No 575/2013 (CRR). If you hold a banking licence, you are likely in scope.", "Your national competent authority (e.g., national banking supervisor or ECB/SSM) can provide definitive guidance." ], "next_steps": [ { "step": "Contact your national competent authority", "description": "Your national banking supervisor or the ECB (for significant institutions) can confirm your DORA status" }, { "step": "Expert consultation", "description": "Engage a DORA compliance specialist for a detailed assessment", "url": "https://asphaliaconsulting.be/contact/" } ] }, "r_consult_payment": { "id": "r_consult_payment", "stage": "RESULT", "type": "result", "scope_status": "CONSULT_EXPERT", "title": "Expert consultation recommended — Payment services sector", "summary": "We could not determine your entity's exact classification within the payment services sector. We recommend consulting a DORA compliance specialist or your national competent authority for a definitive assessment.", "classification": null, "obligations": [], "deadlines": [], "sanctions": null, "legal_ref": "Art. 2(1)(b)-(d)", "notes": [ "DORA covers payment institutions (PSD2), account information service providers (PSD2), and electronic money institutions (EMD2).", "Your national payment services supervisor can provide definitive guidance." ], "next_steps": [ { "step": "Contact your national competent authority", "description": "Your national payment services supervisor can confirm your DORA status" }, { "step": "Expert consultation", "description": "Engage a DORA compliance specialist for a detailed assessment", "url": "https://asphaliaconsulting.be/contact/" } ] }, "r_consult_investment": { "id": "r_consult_investment", "stage": "RESULT", "type": "result", "scope_status": "CONSULT_EXPERT", "title": "Expert consultation recommended — Investment services sector", "summary": "We could not determine your entity's exact classification within the investment services sector. We recommend consulting a DORA compliance specialist or your national competent authority for a definitive assessment.", "classification": null, "obligations": [], "deadlines": [], "sanctions": null, "legal_ref": "Art. 2(1)(e),(k)-(m),(s)", "notes": [ "DORA covers investment firms (MiFID II), AIFMs (AIFMD), UCITS management companies, data reporting service providers (MiFIR), and crowdfunding service providers.", "Your national securities supervisor can provide definitive guidance." ], "next_steps": [ { "step": "Contact your national competent authority", "description": "Your national securities supervisor can confirm your DORA status" }, { "step": "Expert consultation", "description": "Engage a DORA compliance specialist for a detailed assessment", "url": "https://asphaliaconsulting.be/contact/" } ] }, "r_consult_insurance": { "id": "r_consult_insurance", "stage": "RESULT", "type": "result", "scope_status": "CONSULT_EXPERT", "title": "Expert consultation recommended — Insurance & pensions sector", "summary": "We could not determine your entity's exact classification within the insurance and pensions sector. We recommend consulting a DORA compliance specialist or your national competent authority for a definitive assessment.", "classification": null, "obligations": [], "deadlines": [], "sanctions": null, "legal_ref": "Art. 2(1)(n)-(p)", "notes": [ "DORA covers insurance/reinsurance undertakings (Solvency II), insurance/reinsurance/ancillary intermediaries (IDD), and IORPs.", "Your national insurance supervisor can provide definitive guidance." ], "next_steps": [ { "step": "Contact your national competent authority", "description": "Your national insurance supervisor can confirm your DORA status" }, { "step": "Expert consultation", "description": "Engage a DORA compliance specialist for a detailed assessment", "url": "https://asphaliaconsulting.be/contact/" } ] }, "r_consult_infra": { "id": "r_consult_infra", "stage": "RESULT", "type": "result", "scope_status": "CONSULT_EXPERT", "title": "Expert consultation recommended — Market infrastructure", "summary": "We could not determine your entity's exact classification within the market infrastructure sector. We recommend consulting a DORA compliance specialist or your national competent authority for a definitive assessment.", "classification": null, "obligations": [], "deadlines": [], "sanctions": null, "legal_ref": "Art. 2(1)(g)-(j),(q)-(r),(t)", "notes": [ "DORA covers CSDs, CCPs, trading venues, trade repositories, credit rating agencies, critical benchmark administrators, and securitisation repositories.", "Your national securities/market supervisor or ESMA can provide definitive guidance." ], "next_steps": [ { "step": "Contact your national competent authority", "description": "Your national securities/market supervisor or ESMA can confirm your DORA status" }, { "step": "Expert consultation", "description": "Engage a DORA compliance specialist for a detailed assessment", "url": "https://asphaliaconsulting.be/contact/" } ] }, "r_consult_crypto": { "id": "r_consult_crypto", "stage": "RESULT", "type": "result", "scope_status": "CONSULT_EXPERT", "title": "Expert consultation recommended — Crypto-assets sector", "summary": "We could not determine your entity's exact classification within the crypto-assets sector. We recommend consulting a DORA compliance specialist or your national competent authority for a definitive assessment.", "classification": null, "obligations": [], "deadlines": [], "sanctions": null, "legal_ref": "Art. 2(1)(f)", "notes": [ "DORA covers crypto-asset service providers authorised under MiCA and issuers of asset-referenced tokens.", "Your national authority designated under MiCA can provide definitive guidance." ], "next_steps": [ { "step": "Contact your national competent authority", "description": "Your national authority designated under MiCA can confirm your DORA status" }, { "step": "Expert consultation", "description": "Engage a DORA compliance specialist for a detailed assessment", "url": "https://asphaliaconsulting.be/contact/" } ] }, "r_consult_ict": { "id": "r_consult_ict", "stage": "RESULT", "type": "result", "scope_status": "CONSULT_EXPERT", "title": "Expert consultation recommended — ICT service provider", "summary": "We could not determine whether your entity qualifies as an ICT third-party service provider under DORA. We recommend consulting a DORA compliance specialist for a definitive assessment.", "classification": null, "obligations": [], "deadlines": [], "sanctions": null, "legal_ref": "Art. 2(1)(u), Art. 3(21)", "notes": [ "ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service (Art. 3(21)).", "Traditional analogue telephone services are excluded.", "If you provide any cloud, software, data, or infrastructure services to financial entities, you are likely considered an ICT third-party service provider." ], "next_steps": [ { "step": "Review your service contracts", "description": "Check whether any of your clients are EU/EEA financial entities and whether your services qualify as ICT services under DORA Art. 3(21)" }, { "step": "Expert consultation", "description": "Engage a DORA compliance specialist for a detailed assessment", "url": "https://asphaliaconsulting.be/contact/" } ] }, "r_in_scope_full": { "id": "r_in_scope_full", "stage": "RESULT", "type": "result", "scope_status": "IN_SCOPE_FULL", "title": "IN SCOPE — Full Framework", "summary": "Your entity is in scope of DORA and subject to the full ICT risk management framework (Art. 5-15). This includes comprehensive obligations across six pillars: ICT risk management, incident reporting, resilience testing, third-party risk management, information sharing, and governance.", "classification": "FULL_FRAMEWORK", "obligations": [ { "category": "ICT Risk Management", "pillar": 1, "article": "Art. 5-16", "items": [ "Establish sound, comprehensive, well-documented ICT risk management framework", "Management body assumes ultimate accountability for ICT risk", "Ensure availability, authenticity, integrity, confidentiality of data", "Annual review of framework (minimum)", "Three lines of defence model", "Dedicated ICT risk management control function", "Digital operational resilience strategy", "Mandatory policies: information security, access control, authentication, encryption, change management, patch/update", "ICT reference architecture documentation", "Business continuity policy and plans", "Crisis communication plans", "ICT security awareness programmes (compulsory for all staff)", "Regular internal audits by qualified personnel" ] }, { "category": "Incident Management & Reporting", "pillar": 2, "article": "Art. 17-23", "items": [ "Implement early warning indicators", "Incident identification, classification, and response procedures", "Classification criteria: client impact, duration, data losses, geographic spread, service criticality, economic impact", "Customer notification without undue delay if clients' financial interests impacted", "Post-incident reviews mandatory", "Voluntary notification of significant cyber threats encouraged" ], "incident_reporting": { "initial": { "deadline": "4 hours after classification as major, max 24 hours after detection", "content": "Basic facts, impact assessment" }, "intermediate": { "deadline": "72 hours after initial notification", "content": "Updated assessment, root cause analysis" }, "final": { "deadline": "1 month after incident", "content": "Full analysis, lessons learned, remediation" } } }, { "category": "Digital Operational Resilience Testing", "pillar": 3, "article": "Art. 24-27", "items": [ "Risk-based testing programme for ICT systems supporting critical/important functions", "Minimum annual frequency", "Testing types: vulnerability assessments, network security reviews, source code analysis, penetration testing, gap analyses, physical security reviews, software scanning, compatibility testing", "All discovered vulnerabilities must be addressed (including low/medium severity)", "TLPT (if identified by competent authority): every 3 years, live production systems, TIBER-EU framework" ] }, { "category": "ICT Third-Party Risk Management", "pillar": 4, "article": "Art. 28-44", "items": [ "Adopt and regularly review ICT third-party risk strategy", "Maintain register of information on ALL ICT service contracts", "Distinguish providers supporting critical/important functions", "Pre-contractual due diligence and risk assessment", "Mandatory contract provisions (Art. 30): SLAs, data location, audit rights, exit strategies, incident assistance, termination provisions", "Comprehensive exit strategies for critical function providers", "Annual reporting of new/changed critical function arrangements to authorities", "Entity retains full responsibility even when outsourcing", "ICT concentration risk assessment" ] }, { "category": "Information Sharing", "pillar": 5, "article": "Art. 45", "items": [ "Encouraged (not mandatory) to participate in cyber threat intelligence sharing", "Must report on participation in sharing arrangements", "Within trusted, confidentiality-respecting frameworks" ] }, { "category": "Governance", "pillar": 6, "article": "Art. 5", "items": [ "Management body: ultimate accountability, approve policies, allocate budgets", "Regular training for management body members on ICT risk", "Reporting channels for ICT incidents and third-party arrangements", "Designated monitoring role for ICT third-party arrangements" ] } ], "deadlines": [ { "date": "2025-01-17", "description": "DORA fully applies" }, { "date": "2025-04-15", "description": "Register of Information submission to supervisory authorities (varies by Member State)" }, { "date": "2025-04-11", "description": "Germany: BaFin RoI submission deadline" }, { "date": "2025-04-15", "description": "France: ACPR RoI submission deadline" }, { "date": null, "description": "Annual resilience testing programme (ongoing)" }, { "date": null, "description": "TLPT every 3 years (if identified by competent authority)" }, { "date": null, "description": "Annual ICT risk management framework review" }, { "date": null, "description": "Annual report on ICT third-party arrangements" } ], "sanctions": { "primary_note": "IMPORTANT: DORA Art. 50-52 does NOT specify penalty amounts. It delegates penalty determination entirely to each Member State, requiring only that penalties be 'effective, proportionate and dissuasive.' Actual penalties vary by Member State and are set through national transposition legislation.", "member_state_determined": true, "legal_ref": "Art. 50-52", "indicative_examples": { "disclaimer": "The following figures are indicative examples drawn from industry analysis and early national implementations. They do NOT appear in the DORA regulation text and should not be relied upon as definitive.", "max_fine_turnover": "Up to 2% of total annual worldwide turnover (industry estimate)", "max_fine_entity": "Up to EUR 5,000,000 (industry estimate)", "max_fine_individual": "Up to EUR 1,000,000 (industry estimate)" }, "management_ban": "Possible — Member State dependent", "criminal_sanctions": "Member State dependent (Art. 52)", "violation_tiers": [ { "tier": 1, "label": "Most Serious", "examples": "Missing ICT risk framework, non-reporting of major incidents, inadequate testing, no exit strategies, obstruction of supervision" }, { "tier": 2, "label": "Significant", "examples": "Incomplete documentation, inadequate third-party oversight, non-compliant contracts, missing register" }, { "tier": 3, "label": "Administrative", "examples": "Late reporting, minor documentation gaps, procedural issues" } ], "aggravating_factors": "Repeated violations, deliberate non-compliance, obstruction, failure to remediate, significant customer impact, senior management involvement", "additional_measures": "Public disclosure of breaches, suspension of service agreements, prohibition of contracting specific providers, license suspension (extreme cases), binding remediation orders" }, "nis2_interaction": { "status": "lex_specialis", "condition": "Only displayed when NIS2_OVERLAP flag is set", "description": "Your entity appears to fall under both DORA and NIS2. DORA is designated as lex specialis (sector-specific law) under NIS2's Article 4.", "dora_supersedes": [ "ICT risk management (Art. 6 et seq.)", "ICT incident management and reporting (Art. 17 et seq.)", "Digital operational resilience testing (Art. 24 et seq.)", "Information-sharing arrangements (Art. 45)", "ICT third-party risk management (Art. 28 et seq.)" ], "nis2_not_applicable": "NIS2 Chapter VII (supervision and enforcement) does not apply", "note": "Other NIS2 requirements may remain applicable — no blanket exemption" }, "technical_standards": [ { "id": "RTS 2024/1774", "subject": "ICT Risk Management Framework" }, { "id": "RTS 2024/1772", "subject": "Incident Classification Criteria" }, { "id": "RTS 2024/1773", "subject": "Third-Party ICT Policy" }, { "id": "ITS 2024/1771", "subject": "Incident Reporting Templates" }, { "id": "ITS 2024/2956", "subject": "Register of Information Templates" }, { "id": "RTS 2025/301", "subject": "Incident Reporting Content and Time Limits" }, { "id": "ITS 2025/302", "subject": "Incident Reporting Forms" }, { "id": "RTS 2025/532", "subject": "Subcontracting Critical ICT Services" }, { "id": "RTS 2025/1190", "subject": "Threat-Led Penetration Testing" } ], "legal_ref": "Art. 5-16, 17-23, 24-27, 28-44, 45, 50-52", "notes": [ "This assessment is indicative and based on your answers. A definitive classification requires professional legal analysis.", "DORA applies at entity level, but ICT risk management may be defined at group level. Each regulated entity within a group must comply individually.", "Entities with multiple authorisations should apply DORA based on their primary/most demanding authorisation." ], "next_steps": [ { "step": "Gap analysis", "description": "Compare DORA requirements against current policies, procedures, and controls" }, { "step": "Governance setup", "description": "Ensure management body accountability, allocate budgets, designate ICT risk roles" }, { "step": "ICT risk management framework", "description": "Establish/update comprehensive framework with all mandatory policies" }, { "step": "Incident response", "description": "Implement classification, detection, and reporting procedures (4h/72h/1mo)" }, { "step": "Third-party management", "description": "Build/update register of all ICT service providers, review contracts for DORA compliance" }, { "step": "Resilience testing", "description": "Establish annual testing programme (vulnerability scans, pentests, scenario drills)" }, { "step": "Training", "description": "Comprehensive ICT risk training for management body and all employees" }, { "step": "Expert consultation", "description": "Consider engaging a DORA compliance specialist for detailed assessment", "url": "https://asphaliaconsulting.be/contact/" } ] }, "r_in_scope_simplified": { "id": "r_in_scope_simplified", "stage": "RESULT", "type": "result", "scope_status": "IN_SCOPE_SIMPLIFIED", "title": "IN SCOPE — Simplified Framework", "summary": "Your entity is in scope of DORA and qualifies for the simplified ICT risk management framework under Article 16. This is a lighter set of requirements compared to the full framework (Art. 5-15), but incident reporting, resilience testing, and third-party risk management obligations still apply.", "classification": "SIMPLIFIED_FRAMEWORK", "obligations": [ { "category": "Simplified ICT Risk Management", "pillar": 1, "article": "Art. 16", "items": [ "Sound and documented ICT risk management framework (not required to be 'comprehensive')", "Continuous monitoring of ICT security and functionality", "Prompt identification of risk sources", "Periodic review of framework (not annual minimum)", "Business continuity with backup and recovery", "Regular (not annual) testing", "No three-lines-of-defence requirement", "No dedicated ICT risk management control function required", "No crisis communication function required", "No digital operational resilience strategy requirement" ], "note": "RTS 2024/1774 Title III (Art. 28-41) applies instead of Title II for simplified framework entities." }, { "category": "Incident Management & Reporting", "pillar": 2, "article": "Art. 17-23", "items": [ "Implement early warning indicators", "Incident identification, classification, and response procedures", "Classification criteria: client impact, duration, data losses, geographic spread, service criticality, economic impact", "Customer notification without undue delay if clients' financial interests impacted", "Post-incident reviews mandatory", "Voluntary notification of significant cyber threats encouraged" ], "incident_reporting": { "initial": { "deadline": "4 hours after classification as major, max 24 hours after detection", "content": "Basic facts, impact assessment" }, "intermediate": { "deadline": "72 hours after initial notification", "content": "Updated assessment, root cause analysis" }, "final": { "deadline": "1 month after incident", "content": "Full analysis, lessons learned, remediation" } } }, { "category": "Digital Operational Resilience Testing", "pillar": 3, "article": "Art. 24-25", "items": [ "Risk-based testing programme for ICT systems supporting critical/important functions", "Basic resilience testing required", "TLPT explicitly excluded (Art. 26(1))" ] }, { "category": "ICT Third-Party Risk Management", "pillar": 4, "article": "Art. 28-44", "items": [ "Adopt and regularly review ICT third-party risk strategy", "Maintain register of information on ALL ICT service contracts", "Distinguish providers supporting critical/important functions", "Pre-contractual due diligence and risk assessment", "Mandatory contract provisions (Art. 30): SLAs, data location, audit rights, exit strategies, incident assistance, termination provisions", "Comprehensive exit strategies for critical function providers", "Entity retains full responsibility even when outsourcing", "ICT concentration risk assessment", "Annual reporting of new/changed critical function arrangements to authorities" ] }, { "category": "Information Sharing", "pillar": 5, "article": "Art. 45", "items": [ "Encouraged (not mandatory) to participate in cyber threat intelligence sharing", "Must report on participation in sharing arrangements", "Within trusted, confidentiality-respecting frameworks" ] }, { "category": "Governance", "pillar": 6, "article": "Art. 5", "items": [ "Management body: ultimate accountability, approve policies, allocate budgets", "Regular training for management body members on ICT risk", "Reporting channels for ICT incidents and third-party arrangements" ] } ], "deadlines": [ { "date": "2025-01-17", "description": "DORA fully applies" }, { "date": "2025-04-15", "description": "Register of Information submission to supervisory authorities (varies by Member State)" }, { "date": "2025-04-11", "description": "Germany: BaFin RoI submission deadline" }, { "date": "2025-04-15", "description": "France: ACPR RoI submission deadline" }, { "date": null, "description": "Periodic resilience testing (ongoing)" }, { "date": null, "description": "Periodic ICT risk management framework review" } ], "sanctions": { "primary_note": "IMPORTANT: DORA Art. 50-52 does NOT specify penalty amounts. It delegates penalty determination entirely to each Member State, requiring only that penalties be 'effective, proportionate and dissuasive.' Actual penalties vary by Member State and are set through national transposition legislation.", "member_state_determined": true, "legal_ref": "Art. 50-52", "indicative_examples": { "disclaimer": "The following figures are indicative examples drawn from industry analysis and early national implementations. They do NOT appear in the DORA regulation text and should not be relied upon as definitive.", "max_fine_turnover": "Up to 2% of total annual worldwide turnover (industry estimate)", "max_fine_entity": "Up to EUR 5,000,000 (industry estimate)", "max_fine_individual": "Up to EUR 1,000,000 (industry estimate)" }, "management_ban": "Possible — Member State dependent", "criminal_sanctions": "Member State dependent (Art. 52)" }, "nis2_interaction": { "status": "lex_specialis", "condition": "Only displayed when NIS2_OVERLAP flag is set", "description": "Your entity appears to fall under both DORA and NIS2. DORA is designated as lex specialis (sector-specific law) under NIS2's Article 4.", "dora_supersedes": [ "ICT risk management (Art. 6 et seq.)", "ICT incident management and reporting (Art. 17 et seq.)", "Digital operational resilience testing (Art. 24 et seq.)", "Information-sharing arrangements (Art. 45)", "ICT third-party risk management (Art. 28 et seq.)" ], "nis2_not_applicable": "NIS2 Chapter VII (supervision and enforcement) does not apply", "note": "Other NIS2 requirements may remain applicable — no blanket exemption" }, "technical_standards": [ { "id": "RTS 2024/1774", "subject": "ICT Risk Management Framework (Title III for simplified framework)" }, { "id": "RTS 2024/1772", "subject": "Incident Classification Criteria" }, { "id": "RTS 2024/1773", "subject": "Third-Party ICT Policy" }, { "id": "ITS 2024/1771", "subject": "Incident Reporting Templates" }, { "id": "ITS 2024/2956", "subject": "Register of Information Templates" }, { "id": "RTS 2025/301", "subject": "Incident Reporting Content and Time Limits" }, { "id": "ITS 2025/302", "subject": "Incident Reporting Forms" }, { "id": "RTS 2025/532", "subject": "Subcontracting Critical ICT Services" } ], "legal_ref": "Art. 16, 17-23, 24-25, 28-44, 45, 50-52", "notes": [ "Your entity qualifies for the simplified framework. This means lighter ICT risk management requirements but the same incident reporting obligations.", "TLPT is explicitly excluded for simplified framework entities (Art. 26(1)).", "RTS 2024/1774 Title III (Art. 28-41) applies instead of Title II.", "This assessment is indicative and based on your answers. A definitive classification requires professional legal analysis." ], "next_steps": [ { "step": "Gap analysis", "description": "Compare DORA Art. 16 simplified requirements against current policies, procedures, and controls" }, { "step": "Governance setup", "description": "Ensure management body accountability, allocate budgets, designate ICT risk roles" }, { "step": "ICT risk management framework", "description": "Establish/update framework meeting Art. 16 simplified requirements" }, { "step": "Incident response", "description": "Implement classification, detection, and reporting procedures (4h/72h/1mo)" }, { "step": "Third-party management", "description": "Build/update register of all ICT service providers, review contracts for DORA compliance" }, { "step": "Resilience testing", "description": "Establish periodic testing programme" }, { "step": "Training", "description": "ICT risk training for management body and employees" }, { "step": "Expert consultation", "description": "Consider engaging a DORA compliance specialist for detailed assessment", "url": "https://asphaliaconsulting.be/contact/" } ] }, "r_in_scope_micro": { "id": "r_in_scope_micro", "stage": "RESULT", "type": "result", "scope_status": "IN_SCOPE_MICRO", "title": "IN SCOPE — Microenterprise with Proportionality", "summary": "Your entity is in scope of DORA and qualifies as a microenterprise under Art. 3(60). As a microenterprise, your entity benefits from proportionality under DORA Article 4. This means obligations are calibrated to your size, risk profile, and the nature/complexity of your operations. However, proportionality is NOT an exemption — all core requirements still apply.", "classification": "FULL_FRAMEWORK_MICRO", "micro_reliefs": [ "Crisis management function not required", "Redundant ICT capacities assessed based on risk profile (not mandatory)", "Third-party monitoring role not specifically required", "ICT security training 'as appropriate' (not compulsory modules)", "TLPT excluded (Art. 26(1))", "Functions may be combined (no mandatory separation)" ], "obligations": [ { "category": "ICT Risk Management (Proportionate)", "pillar": 1, "article": "Art. 5-16", "items": [ "Establish ICT risk management framework (proportionate to size and risk profile)", "Management body assumes ultimate accountability for ICT risk", "Ensure availability, authenticity, integrity, confidentiality of data", "Annual review of framework", "Three lines of defence model (functions may be combined)", "ICT risk management control function (not required to be separate/dedicated)", "Digital operational resilience strategy (not explicitly required for micro)", "Mandatory policies: information security, access control, authentication, encryption, change management, patch/update", "Business continuity policy and plans", "Crisis communication plans (not required for micro)", "ICT security awareness programmes ('as appropriate')" ] }, { "category": "Incident Management & Reporting", "pillar": 2, "article": "Art. 17-23", "items": [ "Implement early warning indicators", "Incident identification, classification, and response procedures", "Same reporting deadlines as full framework entities", "Customer notification without undue delay if clients' financial interests impacted", "Post-incident reviews mandatory" ], "incident_reporting": { "initial": { "deadline": "4 hours after classification as major, max 24 hours after detection", "content": "Basic facts, impact assessment" }, "intermediate": { "deadline": "72 hours after initial notification", "content": "Updated assessment, root cause analysis" }, "final": { "deadline": "1 month after incident", "content": "Full analysis, lessons learned, remediation" } } }, { "category": "Digital Operational Resilience Testing (Proportionate)", "pillar": 3, "article": "Art. 24-25", "items": [ "Risk-based testing programme (proportionate to size)", "Annual basic testing required", "TLPT excluded (Art. 26(1))" ] }, { "category": "ICT Third-Party Risk Management", "pillar": 4, "article": "Art. 28-44", "items": [ "Adopt and regularly review ICT third-party risk strategy", "Maintain register of information on ALL ICT service contracts", "Mandatory contract provisions (Art. 30)", "Exit strategies for critical function providers", "Entity retains full responsibility even when outsourcing" ] }, { "category": "Information Sharing", "pillar": 5, "article": "Art. 45", "items": [ "Encouraged (not mandatory) to participate in cyber threat intelligence sharing" ] }, { "category": "Governance", "pillar": 6, "article": "Art. 5", "items": [ "Management body: ultimate accountability, approve policies, allocate budgets", "Regular training for management body members on ICT risk", "Designated monitoring role for ICT third-party arrangements (not required for micro)" ] } ], "deadlines": [ { "date": "2025-01-17", "description": "DORA fully applies" }, { "date": "2025-04-15", "description": "Register of Information submission to supervisory authorities (varies by Member State)" }, { "date": "2025-04-11", "description": "Germany: BaFin RoI submission deadline" }, { "date": "2025-04-15", "description": "France: ACPR RoI submission deadline" }, { "date": null, "description": "Annual resilience testing programme (proportionate, ongoing)" }, { "date": null, "description": "Annual ICT risk management framework review" } ], "sanctions": { "primary_note": "IMPORTANT: DORA Art. 50-52 does NOT specify penalty amounts. It delegates penalty determination entirely to each Member State, requiring only that penalties be 'effective, proportionate and dissuasive.' Actual penalties vary by Member State and are set through national transposition legislation.", "member_state_determined": true, "legal_ref": "Art. 50-52", "indicative_examples": { "disclaimer": "The following figures are indicative examples drawn from industry analysis and early national implementations. They do NOT appear in the DORA regulation text and should not be relied upon as definitive.", "max_fine_turnover": "Up to 2% of total annual worldwide turnover (industry estimate)", "max_fine_entity": "Up to EUR 5,000,000 (industry estimate)", "max_fine_individual": "Up to EUR 1,000,000 (industry estimate)" }, "management_ban": "Possible — Member State dependent", "criminal_sanctions": "Member State dependent (Art. 52)" }, "nis2_interaction": { "status": "lex_specialis", "condition": "Only displayed when NIS2_OVERLAP flag is set", "description": "Your entity appears to fall under both DORA and NIS2. DORA is designated as lex specialis (sector-specific law) under NIS2's Article 4.", "dora_supersedes": [ "ICT risk management (Art. 6 et seq.)", "ICT incident management and reporting (Art. 17 et seq.)", "Digital operational resilience testing (Art. 24 et seq.)", "Information-sharing arrangements (Art. 45)", "ICT third-party risk management (Art. 28 et seq.)" ], "nis2_not_applicable": "NIS2 Chapter VII (supervision and enforcement) does not apply", "note": "Other NIS2 requirements may remain applicable — no blanket exemption" }, "technical_standards": [ { "id": "RTS 2024/1774", "subject": "ICT Risk Management Framework" }, { "id": "RTS 2024/1772", "subject": "Incident Classification Criteria" }, { "id": "RTS 2024/1773", "subject": "Third-Party ICT Policy" }, { "id": "ITS 2024/1771", "subject": "Incident Reporting Templates" }, { "id": "ITS 2024/2956", "subject": "Register of Information Templates" }, { "id": "RTS 2025/301", "subject": "Incident Reporting Content and Time Limits" }, { "id": "ITS 2025/302", "subject": "Incident Reporting Forms" }, { "id": "RTS 2025/532", "subject": "Subcontracting Critical ICT Services" } ], "legal_ref": "Art. 3(60), 4, 5-16, 17-23, 24-25, 28-44, 45, 50-52", "notes": [ "Microenterprise status provides proportionality relief, not exemption. Core DORA requirements still apply.", "TLPT is excluded for microenterprises (Art. 26(1)).", "This assessment is indicative and based on your answers. A definitive classification requires professional legal analysis." ], "next_steps": [ { "step": "Gap analysis", "description": "Compare DORA requirements (with proportionality) against current policies, procedures, and controls" }, { "step": "Governance setup", "description": "Ensure management body accountability, allocate budgets, designate ICT risk roles" }, { "step": "ICT risk management framework", "description": "Establish/update framework proportionate to your size and risk profile" }, { "step": "Incident response", "description": "Implement classification, detection, and reporting procedures (4h/72h/1mo)" }, { "step": "Third-party management", "description": "Build/update register of all ICT service providers, review contracts for DORA compliance" }, { "step": "Resilience testing", "description": "Establish proportionate annual testing programme" }, { "step": "Training", "description": "ICT risk training for management body and employees (as appropriate)" }, { "step": "Expert consultation", "description": "Consider engaging a DORA compliance specialist for detailed assessment", "url": "https://asphaliaconsulting.be/contact/" } ] }, "r_in_scope_micro_simplified": { "id": "r_in_scope_micro_simplified", "stage": "RESULT", "type": "result", "scope_status": "IN_SCOPE_MICRO_SIMPLIFIED", "title": "IN SCOPE — Microenterprise with Simplified Framework", "summary": "Your entity is in scope of DORA as a microenterprise qualifying for the simplified ICT risk management framework (Art. 16). This is the lightest obligation tier under DORA, combining simplified framework requirements with microenterprise proportionality benefits. However, this is NOT an exemption — core requirements still apply.", "classification": "SIMPLIFIED_FRAMEWORK_MICRO", "micro_reliefs": [ "Crisis management function not required", "Redundant ICT capacities assessed based on risk profile (not mandatory)", "Third-party monitoring role not specifically required", "ICT security training 'as appropriate' (not compulsory modules)", "TLPT excluded (Art. 26(1))", "Functions may be combined (no mandatory separation)" ], "obligations": [ { "category": "Simplified ICT Risk Management (Proportionate)", "pillar": 1, "article": "Art. 16", "items": [ "Sound and documented ICT risk management framework (proportionate to size)", "Continuous monitoring of ICT security and functionality", "Prompt identification of risk sources", "Periodic review of framework", "Business continuity with backup and recovery", "Regular testing (proportionate)", "No three-lines-of-defence requirement", "No dedicated control function required", "No crisis communication function required", "No digital operational resilience strategy requirement" ], "note": "RTS 2024/1774 Title III (Art. 28-41) applies instead of Title II for simplified framework entities." }, { "category": "Incident Management & Reporting", "pillar": 2, "article": "Art. 17-23", "items": [ "Incident identification, classification, and response procedures", "Same reporting deadlines as full framework entities", "Customer notification without undue delay if clients' financial interests impacted" ], "incident_reporting": { "initial": { "deadline": "4 hours after classification as major, max 24 hours after detection", "content": "Basic facts, impact assessment" }, "intermediate": { "deadline": "72 hours after initial notification", "content": "Updated assessment, root cause analysis" }, "final": { "deadline": "1 month after incident", "content": "Full analysis, lessons learned, remediation" } } }, { "category": "Digital Operational Resilience Testing (Proportionate)", "pillar": 3, "article": "Art. 24-25", "items": [ "Basic resilience testing (proportionate to size and risk)", "TLPT excluded (Art. 26(1))" ] }, { "category": "ICT Third-Party Risk Management", "pillar": 4, "article": "Art. 28-44", "items": [ "Maintain register of information on ICT service contracts", "Mandatory contract provisions (Art. 30)", "Exit strategies for critical function providers", "Entity retains full responsibility even when outsourcing", "Annual reporting of new/changed critical function arrangements to authorities" ] }, { "category": "Information Sharing", "pillar": 5, "article": "Art. 45", "items": [ "Encouraged (not mandatory) to participate in cyber threat intelligence sharing" ] }, { "category": "Governance", "pillar": 6, "article": "Art. 5", "items": [ "Management body: ultimate accountability, approve policies, allocate budgets", "Training for management body members on ICT risk" ] } ], "deadlines": [ { "date": "2025-01-17", "description": "DORA fully applies" }, { "date": "2025-04-15", "description": "Register of Information submission to supervisory authorities (varies by Member State)" }, { "date": "2025-04-11", "description": "Germany: BaFin RoI submission deadline" }, { "date": "2025-04-15", "description": "France: ACPR RoI submission deadline" }, { "date": null, "description": "Periodic resilience testing (proportionate, ongoing)" }, { "date": null, "description": "Periodic ICT risk management framework review" } ], "sanctions": { "primary_note": "IMPORTANT: DORA Art. 50-52 does NOT specify penalty amounts. It delegates penalty determination entirely to each Member State, requiring only that penalties be 'effective, proportionate and dissuasive.' Actual penalties vary by Member State and are set through national transposition legislation.", "member_state_determined": true, "legal_ref": "Art. 50-52", "indicative_examples": { "disclaimer": "The following figures are indicative examples drawn from industry analysis and early national implementations. They do NOT appear in the DORA regulation text and should not be relied upon as definitive.", "max_fine_turnover": "Up to 2% of total annual worldwide turnover (industry estimate)", "max_fine_entity": "Up to EUR 5,000,000 (industry estimate)", "max_fine_individual": "Up to EUR 1,000,000 (industry estimate)" }, "management_ban": "Possible — Member State dependent", "criminal_sanctions": "Member State dependent (Art. 52)" }, "nis2_interaction": { "status": "lex_specialis", "condition": "Only displayed when NIS2_OVERLAP flag is set", "description": "Your entity appears to fall under both DORA and NIS2. DORA is designated as lex specialis (sector-specific law) under NIS2's Article 4.", "dora_supersedes": [ "ICT risk management (Art. 6 et seq.)", "ICT incident management and reporting (Art. 17 et seq.)", "Digital operational resilience testing (Art. 24 et seq.)", "Information-sharing arrangements (Art. 45)", "ICT third-party risk management (Art. 28 et seq.)" ], "nis2_not_applicable": "NIS2 Chapter VII (supervision and enforcement) does not apply", "note": "Other NIS2 requirements may remain applicable — no blanket exemption" }, "technical_standards": [ { "id": "RTS 2024/1774", "subject": "ICT Risk Management Framework (Title III for simplified framework)" }, { "id": "RTS 2024/1772", "subject": "Incident Classification Criteria" }, { "id": "RTS 2024/1773", "subject": "Third-Party ICT Policy" }, { "id": "ITS 2024/1771", "subject": "Incident Reporting Templates" }, { "id": "ITS 2024/2956", "subject": "Register of Information Templates" }, { "id": "RTS 2025/301", "subject": "Incident Reporting Content and Time Limits" }, { "id": "ITS 2025/302", "subject": "Incident Reporting Forms" }, { "id": "RTS 2025/532", "subject": "Subcontracting Critical ICT Services" } ], "legal_ref": "Art. 3(60), 4, 16, 17-23, 24-25, 28-44, 45, 50-52", "notes": [ "This is the lightest obligation tier under DORA, combining simplified framework with microenterprise proportionality.", "TLPT is excluded for both simplified framework entities and microenterprises (Art. 26(1)).", "RTS 2024/1774 Title III (Art. 28-41) applies instead of Title II.", "This assessment is indicative and based on your answers. A definitive classification requires professional legal analysis." ], "next_steps": [ { "step": "Gap analysis", "description": "Compare DORA Art. 16 simplified requirements against current policies and controls" }, { "step": "Governance setup", "description": "Ensure management body accountability and allocate budgets" }, { "step": "ICT risk management framework", "description": "Establish/update framework meeting Art. 16 simplified requirements" }, { "step": "Incident response", "description": "Implement classification, detection, and reporting procedures (4h/72h/1mo)" }, { "step": "Third-party management", "description": "Build/update register of ICT service providers, review contracts" }, { "step": "Resilience testing", "description": "Establish proportionate periodic testing" }, { "step": "Training", "description": "ICT risk training for management body (as appropriate)" }, { "step": "Expert consultation", "description": "Consider engaging a DORA compliance specialist for detailed assessment", "url": "https://asphaliaconsulting.be/contact/" } ] }, "r_ict_provider": { "id": "r_ict_provider", "stage": "RESULT", "type": "result", "scope_status": "IN_SCOPE_ICT_PROVIDER", "title": "IN SCOPE — ICT Third-Party Service Provider", "summary": "As an ICT third-party service provider, you are in scope of DORA but you are NOT a 'financial entity.' Your obligations arise primarily through contractual requirements imposed by your financial entity clients under Art. 28-30.", "classification": "ICT_PROVIDER", "obligations": [ { "category": "Contractual Requirements (imposed by financial entity clients)", "article": "Art. 28-30", "items": [ "Clear service descriptions with quantitative/qualitative performance targets", "Data location requirements (processing and storage)", "Service level agreements (SLAs) with measurable targets", "Assistance in case of ICT incidents at the financial entity", "Audit and inspection rights (including for competent authorities)", "Exit strategies with transition periods and data portability", "Incident notification obligations", "Subcontracting conditions and approval processes" ] }, { "category": "Register of Information", "article": "Art. 28(3)", "items": [ "Your financial entity clients must include your services in their register of information on ICT third-party service contracts", "You may be asked to provide information to support their register maintenance" ] } ], "deadlines": [ { "date": "2025-01-17", "description": "DORA fully applies — financial entity clients must ensure contracts comply" }, { "date": null, "description": "Ongoing compliance with contractual provisions" } ], "sanctions": { "note": "As a non-CTPP ICT provider, you are not directly subject to DORA penalties. However, non-compliance with contractual requirements may lead to contract termination by financial entity clients, and competent authorities may require financial entities to terminate or adjust arrangements with non-compliant providers.", "direct_penalties": false, "indirect_consequences": [ "Contract termination by financial entity clients", "Competent authorities may require financial entities to adjust or terminate arrangements", "Reputational impact" ] }, "ctpp_designation": { "status": "UNLIKELY", "criteria": "The ESAs consider: (1) systemic impact on financial services stability, (2) systemic character of reliant financial entities, (3) degree of reliance for critical/important functions, (4) degree of substitutability (Art. 31(2))", "note": "Based on your answers, CTPP designation appears unlikely. If circumstances change, reassess." }, "technical_standards": [ { "id": "RTS 2024/1773", "subject": "Third-Party ICT Policy" }, { "id": "ITS 2024/2956", "subject": "Register of Information Templates" }, { "id": "RTS 2025/532", "subject": "Subcontracting Critical ICT Services" } ], "legal_ref": "Art. 2(1)(u), 28-30", "notes": [ "You are NOT a financial entity under DORA. Your obligations are contractual, not regulatory.", "Financial entities must include specific DORA-compliant provisions in their contracts with you.", "This assessment is indicative. If your market position changes, CTPP designation may become more likely." ], "next_steps": [ { "step": "Review client contracts", "description": "Expect financial entity clients to update contracts with DORA-compliant provisions (Art. 30)" }, { "step": "Prepare for audit requests", "description": "Financial entities (and their supervisors) have audit and inspection rights over your services" }, { "step": "Incident notification readiness", "description": "Ensure you can notify financial entity clients of ICT incidents affecting their services" }, { "step": "Data location documentation", "description": "Document where data is processed and stored, as clients must know this" }, { "step": "Exit strategy support", "description": "Be prepared to support client transitions with data portability and transition periods" }, { "step": "Expert consultation", "description": "Consider engaging a DORA compliance specialist to review your contractual readiness", "url": "https://asphaliaconsulting.be/contact/" } ] }, "r_ict_ctpp_likely": { "id": "r_ict_ctpp_likely", "stage": "RESULT", "type": "result", "scope_status": "IN_SCOPE_CTPP_LIKELY", "title": "IN SCOPE — ICT Provider, Likely Critical Third-Party Provider (CTPP)", "summary": "Based on your answers, your entity is likely to be designated as a Critical Third-Party Provider (CTPP) under DORA Art. 31. CTPPs are subject to direct oversight by a Lead Overseer (EBA, ESMA, or EIOPA) and face specific regulatory obligations and penalties beyond standard ICT provider requirements.", "classification": "ICT_PROVIDER_CTPP_LIKELY", "obligations": [ { "category": "Standard ICT Provider Obligations (Art. 28-30)", "article": "Art. 28-30", "items": [ "Clear service descriptions with quantitative/qualitative performance targets", "Data location requirements (processing and storage)", "Service level agreements (SLAs) with measurable targets", "Assistance in case of ICT incidents at the financial entity", "Audit and inspection rights (including for competent authorities)", "Exit strategies with transition periods and data portability", "Incident notification obligations", "Subcontracting conditions and approval processes" ] }, { "category": "CTPP Direct Oversight Framework (Art. 31-44)", "article": "Art. 31-44", "items": [ "Direct oversight by Lead Overseer (EBA, ESMA, or EIOPA)", "Compliance, resilience, and risk requirements imposed directly", "Joint examination teams (JET) for oversight activities", "Must establish EU subsidiary within 12 months of designation (if non-EU)", "Cooperation with oversight authorities", "Regular reporting to Lead Overseer" ] } ], "ctpp_designation": { "status": "LIKELY", "criteria_detail": [ { "criterion": "Systemic impact", "article": "Art. 31(2)(a)", "description": "Impact on stability, continuity, or quality of financial services if widespread operational failure" }, { "criterion": "Systemic character of reliant entities", "article": "Art. 31(2)(b)", "description": "Number and importance of financial entities relying on the provider (G-SIIs, O-SIIs)" }, { "criterion": "Degree of reliance", "article": "Art. 31(2)(c)", "description": "Extent to which financial entities depend on the provider for critical or important functions" }, { "criterion": "Substitutability", "article": "Art. 31(2)(d)", "description": "Degree of substitutability considering market concentration, proprietary technology, migration complexity" } ], "voluntary_designation": "ICT providers may also voluntarily request CTPP designation (Art. 31(11))" }, "deadlines": [ { "date": "2025-01-17", "description": "DORA fully applies" }, { "date": null, "description": "CTPP designation process ongoing (ESAs publish and update list)" }, { "date": null, "description": "If designated: EU subsidiary within 12 months (for non-EU providers)" } ], "sanctions": { "note": "DORA Art. 35 specifies the oversight framework for CTPPs. The only penalty amount specified directly in DORA is the periodic penalty payment under Art. 35(8).", "if_designated_ctpp": { "periodic_penalty_payment": { "amount": "Up to 1% of average daily worldwide turnover for up to 6 months", "legal_ref": "Art. 35(8)", "source": "Directly specified in DORA regulation text" }, "note_on_fines": "DORA Art. 35 does NOT specify fixed fine amounts (e.g., entity or individual fines) for CTPPs. The EUR 5M entity fine and EUR 500K individual fine figures sometimes cited in industry analysis do NOT appear in the DORA regulation text.", "business_restrictions": true, "additional_measures": [ "Lead Overseer may issue recommendations requiring specific actions", "Publication of non-compliance", "Request to financial entities to suspend or terminate arrangements" ] }, "if_not_designated": { "direct_penalties": false, "indirect_consequences": [ "Contract termination by financial entity clients", "Competent authorities may require financial entities to adjust or terminate arrangements" ] } }, "technical_standards": [ { "id": "RTS 2024/1773", "subject": "Third-Party ICT Policy" }, { "id": "ITS 2024/2956", "subject": "Register of Information Templates" }, { "id": "RTS 2025/532", "subject": "Subcontracting Critical ICT Services" } ], "legal_ref": "Art. 2(1)(u), 28-30, 31-44", "notes": [ "CTPP designation is made by the ESAs through the Joint Committee. This assessment indicates likelihood based on your answers.", "CTPPs that serve entities in only one Member State cannot be designated (Art. 31(8)).", "Non-EU CTPPs must establish an EU subsidiary within 12 months of designation.", "This assessment is indicative. The actual designation decision is made by the ESAs." ], "next_steps": [ { "step": "Monitor ESA designation process", "description": "Track the ESA Joint Committee's CTPP designation list and process" }, { "step": "Prepare oversight readiness", "description": "Establish internal compliance and reporting capabilities for Lead Overseer requirements" }, { "step": "Review client contracts", "description": "Ensure contracts include DORA-compliant provisions (Art. 30)" }, { "step": "EU subsidiary planning", "description": "If non-EU, plan for establishing an EU subsidiary within 12 months of potential designation" }, { "step": "Audit and inspection readiness", "description": "Prepare for direct oversight activities including joint examination teams" }, { "step": "Expert consultation", "description": "Engage a DORA compliance specialist for detailed CTPP preparation", "url": "https://asphaliaconsulting.be/contact/" } ] }, "r_ict_ctpp_possible": { "id": "r_ict_ctpp_possible", "stage": "RESULT", "type": "result", "scope_status": "IN_SCOPE_CTPP_POSSIBLE", "title": "IN SCOPE — ICT Provider, Possible CTPP Designation", "summary": "As an ICT third-party service provider with significant market reach, there is a possibility your entity could be designated as a Critical Third-Party Provider (CTPP) under DORA Art. 31. While designation is not certain, you should prepare for both standard ICT provider obligations and potential CTPP requirements.", "classification": "ICT_PROVIDER_CTPP_POSSIBLE", "obligations": [ { "category": "Standard ICT Provider Obligations (Art. 28-30)", "article": "Art. 28-30", "items": [ "Clear service descriptions with quantitative/qualitative performance targets", "Data location requirements (processing and storage)", "Service level agreements (SLAs) with measurable targets", "Assistance in case of ICT incidents at the financial entity", "Audit and inspection rights (including for competent authorities)", "Exit strategies with transition periods and data portability", "Incident notification obligations", "Subcontracting conditions and approval processes" ] }, { "category": "Potential CTPP Obligations (if designated, Art. 31-44)", "article": "Art. 31-44", "items": [ "Direct oversight by Lead Overseer (EBA, ESMA, or EIOPA)", "Compliance, resilience, and risk requirements imposed directly", "Joint examination teams (JET) for oversight activities", "Must establish EU subsidiary within 12 months of designation (if non-EU)", "Cooperation with oversight authorities" ] } ], "ctpp_designation": { "status": "POSSIBLE", "criteria_detail": [ { "criterion": "Systemic impact", "article": "Art. 31(2)(a)", "description": "Impact on stability, continuity, or quality of financial services if widespread operational failure" }, { "criterion": "Systemic character of reliant entities", "article": "Art. 31(2)(b)", "description": "Number and importance of financial entities relying on the provider" }, { "criterion": "Degree of reliance", "article": "Art. 31(2)(c)", "description": "Extent to which financial entities depend on the provider for critical or important functions" }, { "criterion": "Substitutability", "article": "Art. 31(2)(d)", "description": "Degree of substitutability considering market concentration, proprietary technology, migration complexity" } ], "voluntary_designation": "ICT providers may also voluntarily request CTPP designation (Art. 31(11))" }, "deadlines": [ { "date": "2025-01-17", "description": "DORA fully applies" }, { "date": null, "description": "Monitor CTPP designation decisions by ESAs" } ], "sanctions": { "note": "If designated as CTPP, the only penalty amount specified directly in DORA is the periodic penalty payment under Art. 35(8). As a standard ICT provider, you are not directly subject to DORA penalties but face indirect consequences.", "if_designated_ctpp": { "periodic_penalty_payment": { "amount": "Up to 1% of average daily worldwide turnover for up to 6 months", "legal_ref": "Art. 35(8)", "source": "Directly specified in DORA regulation text" }, "note_on_fines": "DORA Art. 35 does NOT specify fixed fine amounts (e.g., entity or individual fines) for CTPPs. Specific fine figures sometimes cited in industry analysis do NOT appear in the DORA regulation text.", "business_restrictions": true }, "if_not_designated": { "direct_penalties": false, "indirect_consequences": [ "Contract termination by financial entity clients", "Competent authorities may require financial entities to adjust or terminate arrangements" ] } }, "technical_standards": [ { "id": "RTS 2024/1773", "subject": "Third-Party ICT Policy" }, { "id": "ITS 2024/2956", "subject": "Register of Information Templates" }, { "id": "RTS 2025/532", "subject": "Subcontracting Critical ICT Services" } ], "legal_ref": "Art. 2(1)(u), 28-30, 31-44", "notes": [ "CTPP designation is not certain but possible based on your market position and substitutability.", "ICT third-party service providers serving financial entities in only one Member State cannot be designated as critical (Art. 31(8)).", "Monitor the ESA Joint Committee's CTPP designation list.", "This assessment is indicative. The actual designation decision is made by the ESAs." ], "next_steps": [ { "step": "Monitor ESA designation process", "description": "Track the ESA Joint Committee's CTPP designation list and process" }, { "step": "Review client contracts", "description": "Ensure contracts include DORA-compliant provisions (Art. 30)" }, { "step": "Prepare for potential oversight", "description": "Consider establishing oversight readiness in case of CTPP designation" }, { "step": "Incident notification readiness", "description": "Ensure you can notify financial entity clients of ICT incidents" }, { "step": "Expert consultation", "description": "Engage a DORA compliance specialist to assess your CTPP likelihood and prepare accordingly", "url": "https://asphaliaconsulting.be/contact/" } ] }, "r_ict_intragroup": { "id": "r_ict_intragroup", "stage": "RESULT", "type": "result", "scope_status": "IN_SCOPE_ICT_INTRAGROUP", "title": "ICT Intra-Group Provider", "summary": "As an intra-group ICT service provider, you provide services predominantly within your own financial group. You are subject to DORA requirements through your group's ICT risk management framework. You cannot be designated as a CTPP (Art. 31(8)).", "classification": "ICT_INTRAGROUP", "obligations": [ { "category": "Group-level ICT Risk Management", "article": "Art. 28-30", "items": [ "Subject to group-level ICT third-party risk management framework", "Financial entities in your group remain fully responsible for DORA compliance", "Contractual arrangements within the group must still comply with Art. 30", "Register of information must include intra-group arrangements" ] } ], "deadlines": [ { "date": "2025-01-17", "description": "DORA fully applies" }, { "date": null, "description": "Ongoing compliance through group arrangements" } ], "sanctions": { "note": "As an intra-group provider, you are not directly subject to DORA penalties. The financial entities in your group bear regulatory responsibility.", "direct_penalties": false, "ctpp_designation": "Cannot be designated as CTPP (Art. 31(8))" }, "technical_standards": [ { "id": "RTS 2024/1773", "subject": "Third-Party ICT Policy" }, { "id": "ITS 2024/2956", "subject": "Register of Information Templates" } ], "legal_ref": "Art. 3(20), 28-30, 31(8)", "notes": [ "Cannot be designated as CTPP (Art. 31(8)).", "Group-level ICT third-party risk management applies.", "Financial entities in your group remain fully responsible for their own DORA compliance.", "Intra-group contracts must still meet Art. 30 requirements." ], "next_steps": [ { "step": "Coordinate with group compliance", "description": "Work with your group's compliance function to ensure DORA-compliant intra-group arrangements" }, { "step": "Review intra-group contracts", "description": "Ensure contracts with group entities include Art. 30 mandatory provisions" }, { "step": "Support register of information", "description": "Provide information for the group's register of ICT service contracts" }, { "step": "Expert consultation", "description": "Consider engaging a DORA compliance specialist for group-level compliance review", "url": "https://asphaliaconsulting.be/contact/" } ] } }, "edge_cases_index": { "multi_authorised_entity": { "trigger_node": "s_010", "summary": "Entities with multiple authorisations should apply DORA based on their primary/most demanding authorisation.", "source": "General principle" }, "group_level_application": { "trigger_node": "sz_010", "summary": "DORA applies at entity level, but ICT risk management may be defined at group level. Each regulated entity within a group must comply individually.", "source": "Art. 5-6" }, "third_country_branches": { "trigger_node": "j_010", "summary": "Branches of non-EU entities operating in the EU under passporting arrangements may fall within scope. Consult your competent authority.", "source": "Art. 2" }, "payment_related_incident_reporting": { "trigger_node": "s_020_payment", "summary": "Entities (a)-(d) — credit institutions, payment institutions, AISPs, e-money institutions — have additional payment-related incident reporting obligations under Art. 19(1) alongside general incident reporting.", "source": "Art. 19(1)" }, "significant_credit_institutions_tlpt": { "trigger_node": "sz_result", "summary": "Significant credit institutions identified for TLPT must use external testers for all threat-led penetration tests (Art. 26(8) third subparagraph).", "source": "Art. 26(8)" }, "ict_provider_single_ms": { "trigger_node": "ict_020", "summary": "ICT providers serving entities in only one Member State (where those entities are active only in that MS) cannot be designated as CTPP (Art. 31(8)).", "source": "Art. 31(8)" }, "voluntary_ctpp_designation": { "trigger_node": "ict_020", "summary": "ICT providers may voluntarily request CTPP designation under Art. 31(11).", "source": "Art. 31(11)" }, "crd_exempted_simplified_framework": { "trigger_node": "x_030_credit", "summary": "CRD Art. 2(5)(4)-(23) entities that are NOT excluded by their Member State under Art. 2(4) remain in DORA scope and qualify for the simplified framework (Art. 16), not the full framework.", "source": "Art. 2(4), Art. 16(1)" }, "transition_excluded_to_in_scope": { "trigger_node": "x_010_iorp", "summary": "If an entity's status changes (e.g., IORP grows above 15 members, AIFM crosses threshold, insurance intermediary exceeds SME thresholds), it must comply with DORA. Re-assessment should be triggered.", "source": "Art. 2(3)" }, "micro_ineligible_entity_types": { "trigger_node": "s_020_infra", "summary": "CSDs, CCPs, trading venues, and trade repositories cannot qualify as microenterprises regardless of their actual size (Art. 3(60)). They always face full framework obligations.", "source": "Art. 3(60)" } }, "consult_expert_scenarios": [ { "id": "AMB-1", "scenario": "Multi-authorised financial entity", "description": "Entity holds authorisations in multiple financial sectors (e.g., credit institution + payment institution). Should assess under the most demanding authorisation, but expert guidance recommended for obligation mapping.", "node": "s_010" }, { "id": "AMB-2", "scenario": "CRD Art. 2(5)(4)-(23) entity — Member State exclusion status unknown", "description": "CRD-exempted credit institution types where the Member State exclusion decision under DORA Art. 2(4) is unclear. Entity may be excluded entirely or qualify for simplified framework.", "node": "x_030_credit" }, { "id": "AMB-3", "scenario": "MiFID II exemption status uncertain", "description": "Investment firm unsure whether it qualifies for MiFID II Art. 2 or 3 exemption, which would exclude it from DORA entirely.", "node": "x_010_invest" }, { "id": "AMB-4", "scenario": "Small and non-interconnected investment firm classification", "description": "Investment firm unsure whether it meets the IFR Art. 12(1) criteria for small and non-interconnected status, which would qualify it for the simplified framework.", "node": "x_020_invest" }, { "id": "AMB-5", "scenario": "AIFM threshold calculation", "description": "AIFM unsure whether its portfolio falls below the EUR 100M (with leverage) or EUR 500M (without leverage) thresholds that would exclude it from DORA.", "node": "x_010_aifm" }, { "id": "AMB-6", "scenario": "Solvency II threshold assessment", "description": "Insurance/reinsurance undertaking unsure whether it falls below the Solvency II Art. 4 thresholds that would exclude it from DORA.", "node": "x_010_insurance" }, { "id": "AMB-7", "scenario": "Insurance intermediary SME status", "description": "Insurance/reinsurance intermediary unsure whether it qualifies as a microenterprise or SME, which would exclude it from DORA entirely.", "node": "x_010_intermediary" }, { "id": "AMB-8", "scenario": "PSD2 exemption status", "description": "Payment institution unsure whether it holds a PSD2 exemption under Art. 32(1), which would qualify it for the simplified framework.", "node": "x_010_payment" }, { "id": "AMB-9", "scenario": "EMD2 exemption status", "description": "E-money institution unsure whether it holds an EMD2 exemption under Art. 9(1), which would qualify it for the simplified framework.", "node": "x_010_emoney" }, { "id": "AMB-10", "scenario": "NIS2 overlap determination", "description": "Entity unsure whether it is also classified as essential or important under NIS2, which triggers the lex specialis interaction with DORA.", "node": "n_010" }, { "id": "AMB-11", "scenario": "ICT service provider classification", "description": "Entity unsure whether its services qualify as ICT services under DORA Art. 3(21) or whether it serves financial entities.", "node": "s_020_ict" }, { "id": "AMB-12", "scenario": "CTPP designation likelihood", "description": "ICT provider with complex market position where CTPP designation likelihood is difficult to self-assess based on the Art. 31(2) criteria.", "node": "ict_020" } ] }