Ivan Spiteri
Director of Technology Advisory & Assurance
DORA applies to licensed financial institutions, such as banks, insurance companies, investment firms, stock exchanges, fintech, etc. and ICT third-party service providers like cloud computing services, software, data analytics services and data centres. These organisations will have to implement the regulation and become fully compliant by the end of 2024.
DORA puts the relationship between the financial institutions and their technology suppliers in a new light to jointly address the regulatory requirements. Financial entities and ICT third-party service providers need increased collaboration in their journey towards compliance with DORA. Financial institutions need to be reassured that their providers are qualified partners in preparation for this paradigm shift. Without this reassurance, financial institutions will need to look for alternative providers.
DORA In-scope entities as per 'Article 2 - Scope'
Financial Entities | ICT Third-party Service Providers* |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| * the entities listed are examples of ICT Third Party Service Providers |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
|
This Regulation does not apply to:
- managers of alternative investment funds as referred to in Article 3(2) of Directive 2011/61/EU;
- insurance and reinsurance undertakings as referred to in Article 4 of Directive 2009/138/EC;
- institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total;
- natural or legal persons exempted pursuant to Articles 2 and 3 of Directive 2014/65/EU;
- insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are micro-enterprises or small or medium-sised enterprises;
- post office giro institutions as referred to in Article 2(5), point (3), of Directive 2013/36/EU.
