Does your organisation depend on ICT systems to deliver its core financial services?

If no: DORA applies — verify ICT dependency scope.

Do you have a documented ICT risk management framework approved by your management body?

If no: DORA applies — ICT risk framework required immediately.

Do you use third-party ICT providers for critical or important functions?

If no: DORA applies — limited third-party exposure.

Do your contracts with critical ICT providers include the mandatory DORA clauses: exit strategies, audit rights, sub-contracting notifications, and performance SLAs?

If yes: DORA applies — baseline compliance in place, verify TLPT readiness. If no: DORA applies — fix third-party contracts immediately.

DORA

Does DORA apply to my financial entity?

DORA (Digital Operational Resilience Act) has applied since January 17, 2025. Answer 7 questions to find out whether your financial entity is in scope.

Last updated: 1 May 2025

Do DORA applicability need to comply with DORA?

DORA (Digital Operational Resilience Act) has applied since January 17, 2025. Answer 7 questions to find out whether your financial entity is in scope. If yes: DORA applies — fix third-party contracts immediately. If not: Outside DORA scope — not an EU-authorised financial entity…

Yes path: DORA applies — fix third-party contracts immediately
No path: Outside DORA scope — not an EU-authorised financial entity
Use the step-by-step decision tree below for your exact situation

Source: EUR-Lex — DORA (Regulation 2022/2554)Reviewed: 2025-05-01

Step 1

DORA · Question 1

Is your organisation a financial entity regulated under EU law?

Financial entities covered by DORA include: banks, payment institutions, e-money institutions, investment firms, crypto-asset service providers (CASPs), insurance companies, pension funds, credit rating agencies, crowdfunding platforms, data reporting services, and central securities depositories.

For informational purposes only. Consult qualified legal counsel before making compliance decisions.

Decision tree questions

Is your organisation a financial entity regulated under EU law?
Financial entities covered by DORA include: banks, payment institutions, e-money institutions, investment firms, crypto-asset service providers (CASPs), insurance companies, pension funds, credit rating agencies, crowdfunding platforms, data reporting services, and central securities depositories.
- Yes: Continue to: Is your entity authorised or registered by an EU financial supervisory authority (EBA, ESMA, EIOPA, or a national competent authority)?
- No: DORA does not apply — not a financial entity
Is your entity authorised or registered by an EU financial supervisory authority (EBA, ESMA, EIOPA, or a national competent authority)?
DORA applies to entities regulated under EU financial services legislation. Non-EU entities serving EU clients may also be affected if they are designated critical ICT third-party providers.
- Yes: Continue to: Does your organisation depend on ICT systems to deliver its core financial services?
- No: Outside DORA scope — not an EU-authorised financial entity
Does your organisation depend on ICT systems to deliver its core financial services?
Nearly all financial entities depend on ICT. This question confirms you have ICT risk to manage. Even paper-based operations typically have some digital dependency (core banking, reporting).
- Yes: Continue to: Do you have a documented ICT risk management framework approved by your management body?
- No: DORA applies — verify ICT dependency scope
Do you have a documented ICT risk management framework approved by your management body?
DORA Art. 5 requires the management body to define, approve, and oversee the ICT risk management framework. A generic IT policy does not suffice — it must explicitly address ICT risk.
- Yes: Continue to: Do you use third-party ICT providers for critical or important functions?
- No: DORA applies — ICT risk framework required immediately
Do you use third-party ICT providers for critical or important functions?
Critical/important functions: functions where a disruption would materially impair your ability to provide financial services, meet regulatory obligations, or manage risk. Cloud providers, core banking vendors, and payment processors typically qualify.
- Yes: Continue to: Do your contracts with critical ICT providers include the mandatory DORA clauses: exit strategies, audit rights, sub-contracting notifications, and performance SLAs?
- No: DORA applies — limited third-party exposure
Do your contracts with critical ICT providers include the mandatory DORA clauses: exit strategies, audit rights, sub-contracting notifications, and performance SLAs?
Art. 30 specifies mandatory contractual provisions for all contracts with critical ICT third-party providers. Generic vendor contracts rarely contain all required clauses.
- Yes: DORA applies — baseline compliance in place, verify TLPT readiness
- No: DORA applies — fix third-party contracts immediately

Related decision trees

View all trees →

Does DORA apply to my financial entity?

Do DORA applicability need to comply with DORA?

Is your organisation a financial entity regulated under EU law?

Decision tree questions

Is your organisation a financial entity regulated under EU law?

Is your entity authorised or registered by an EU financial supervisory authority (EBA, ESMA, EIOPA, or a national competent authority)?

Does your organisation depend on ICT systems to deliver its core financial services?

Do you have a documented ICT risk management framework approved by your management body?

Do you use third-party ICT providers for critical or important functions?

Do your contracts with critical ICT providers include the mandatory DORA clauses: exit strategies, audit rights, sub-contracting notifications, and performance SLAs?

Related decision trees