EuroComply
Zarejestruj się

DORA for Small Financial Entities

DORA applies a proportionality principle (Article 4): the depth and granularity of an entity's ICT risk-management framework should reflect its size, overall risk profile, and the nature, scale, and complexity of its services. Article 16 sets a simplified ICT risk-management framework for specific small or non-interconnected entities.

Does DORA apply to small financial entities?

Yes — DORA does not exempt small financial entities. Article 4 introduces a proportionality principle and Article 16 a simplified ICT risk-management framework for small and non-interconnected entities. Microenterprises remain in scope.

  • Small and non-interconnected investment firms, payment institutions exempted under PSD2, and certain EMIs may use the simplified framework under Article 16
  • Microenterprises (< 10 employees, ≤ €2m turnover or balance-sheet total) are not exempt — proportionality applies but not exemption
  • The Register of Information (Article 28) applies regardless of size; only the granularity adapts
  • Major-ICT-incident reporting timeline (Article 19): initial within 4 hours of classification, intermediate within 72 hours, final within 1 month
Source: Regulation (EU) 2022/2554 — EUR-LexReviewed:

Who does DORA apply to?

DORA applies to a broad set of financial entities and — uniquely — directly to ICT third-party service providers designated as critical to the EU financial system.

  • Credit institutions, payment institutions, electronic-money institutions, investment firms
  • Crypto-asset service providers (under MiCA), central securities depositories, central counterparties, trading venues
  • Insurance and reinsurance undertakings, IORPs, credit-rating agencies, audit firms (limited provisions)
  • Critical third-party ICT service providers (CTPPs) designated by the European Supervisory Authorities
Source: Regulation (EU) 2022/2554 — EUR-Lex — Article 2 (Personal scope)Reviewed:

What are the penalties for DORA non-compliance?

Sanctions are set at national level for financial entities; CTPPs face a harmonised EU-level oversight regime with a specific periodic-penalty mechanism set in DORA itself.

Maximum fineCTPPs: up to 1% of average daily global turnover, applied daily for up to six months. Financial entities: per national law.
Source: Regulation (EU) 2022/2554 — EUR-Lex — Article 35 (Powers of the Lead Overseer) and Article 50Reviewed:

When does DORA apply?

DORA entered into force on 16 January 2023 and applied directly from 17 January 2025 across the EU. National competent authorities began supervisory dialogues with in-scope entities in late 2024.

  • 2023-01-16 — Entry into force
  • 2025-01-17 — Direct application across the EU
Source: Regulation (EU) 2022/2554 — EUR-Lex — Article 64 (Entry into force and application)Reviewed:

How to maintain a DORA-compliant ICT third-party register

Article 28(3) requires financial entities to keep a Register of Information on all contractual arrangements with ICT third-party service providers and to make it available to the competent authority on request.

  1. 1

    Identify all ICT third-party service providers

    Map every contractual arrangement that involves the provision of ICT services, regardless of whether the provider is intra-group or external.

  2. 2

    Record the Implementing Technical Standards (ITS) fields

    Capture the fields prescribed by the ITS on the Register of Information (Commission Implementing Regulation (EU) 2024/2956): contract metadata, function description, criticality, location of data and service, sub-contracting chain, etc.

  3. 3

    Flag arrangements supporting critical or important functions

    Mark which arrangements support functions classified as critical or important — these trigger stricter contractual and exit-strategy requirements (Article 28(2)).

  4. 4

    Submit annually to the competent authority

    Submit the Register at least annually in the prescribed format; update it whenever a material change to an arrangement supporting a critical or important function occurs.

1% of daily global turnover

Maximum daily periodic penalty payment the EU Lead Overseer can impose on a Critical Third-Party Provider for non-compliance with DORA's oversight measures (capped at six months).

Regulation (EU) 2022/2554, Article 35(6)

Next step — classify

Check if DORA applies to your firm

Targeted next step for small financial entities based on DORA scope.

Check if DORA applies to your firm

Full DORA compliance guide for all sectors and personas.

DORA guide

For informational purposes only. This is not legal advice — consult qualified legal counsel.

Last reviewed: · Editorial policy