← Thought Leadership

Compliance Guides

Does DORA apply to my company?

DORA applies to EU financial entities and their ICT third-party providers. Two tests, a decision path, and what it requires if you’re in scope.

Jan Jensen
Co-founder
· 5 min read
The Frankfurt financial district skyline at sunset

Photo: Jan Jobczyk / Unsplash

New to the topic? Start with What sovereign compliance actually means.

DORA — the Digital Operational Resilience Act — applies to you if you are a financial entity operating in the EU, or an ICT third-party provider serving those entities. It has applied since 17 January 2025. If you are a bank, insurer, investment firm, payment or e-money institution, crypto-asset service provider, or a technology company supplying any of them, you are very likely in scope. Here are the two tests that decide it.

Test 1 — Are you a “financial entity”?

DORA lists the financial entities it covers, including credit institutions, payment institutions, e-money institutions, investment firms, crypto-asset service providers, insurance and reinsurance undertakings, and several others. If your firm holds an EU financial licence or authorisation, assume you are in scope unless a specific exemption applies.

Definition
Financial entity (DORA)
One of the categories of firm DORA lists directly — credit institutions, payment and e-money institutions, investment firms, crypto-asset service providers, and insurance and reinsurance undertakings among them. Holding an EU financial licence generally means you are a financial entity under DORA unless a specific exemption applies.

Test 2 — Are you an ICT third-party provider to financial entities?

If you supply ICT services — cloud, software, data, or managed services — to EU financial entities, DORA reaches you through your customers’ third-party risk requirements, and, if you are designated critical, through direct oversight. A provider based outside the EU is not out of scope: what matters is that your customer is an in-scope financial entity. If that describes you, it is worth understanding how a tool becomes a regulated third party in the first place.

What DORA requires if it applies

DORA’s requirements fall into five areas:

  • ICT risk management— a documented framework for identifying, protecting, detecting, and recovering.
  • ICT-related incident reporting— classifying and reporting major incidents to your competent authority.
  • Digital operational resilience testing— regular testing, up to threat-led penetration testing for larger entities.
  • ICT third-party risk management— including the specific contractual terms required under Article 30.
  • Information sharing— voluntary exchange of cyber-threat intelligence.

Smaller and less complex entities benefit from a proportionality principle and, in some cases, a simplified ICT risk-management framework.

How COMPLY.Reg helps

COMPLY.Reg is a regulatory compliance tool that uses AI to turn DORA from a PDF into a working control set: it extracts DORA’s individual requirements, maps them to controls, and tracks the evidence that proves each one — so an audit becomes traceable rather than a scramble. Your source documents stay on your own systems, and your compliance data is processed in the EU. Not sure DORA is the only regime that applies? Start with which EU regulations apply to your company.

Frequently asked questions

When did DORA start applying?
17 January 2025.
Does DORA apply to non-EU companies?
Yes, indirectly and sometimes directly — if you provide ICT services to EU financial entities, DORA’s third-party requirements reach you through those relationships.
Is there a lighter regime for small firms?
Yes — DORA applies a proportionality principle, and certain entities may use a simplified ICT risk-management framework.

Sources