When did DORA start to apply?

The Digital Operational Resilience Act, Regulation (EU) 2022/2554, has applied since 17 January 2025. It harmonises ICT and cyber-resilience rules across the EU financial sector, replacing a patchwork of sectoral guidance with a single binding regime.

A broad set of financial entities — banks, payment and e-money institutions, investment firms, insurers, crypto-asset service providers, depositories, trading venues, fund managers, and more. Critical ICT third-party providers such as major cloud platforms are also reached through a dedicated oversight regime.

What is the simplified framework?

Article 16 lets smaller, non-interconnected entities — for example small investment firms, small IORPs, and crowdfunding providers — apply a lighter ICT risk-management framework. Some requirements such as full threat-led penetration testing are reduced or do not apply to them.

What are the five DORA pillars?

ICT risk management, ICT incident management and reporting, digital operational resilience testing, ICT third-party risk management, and information sharing on cyber threats. Together they cover governance, detection, testing, supply chain, and intelligence sharing.

How does DORA treat cloud and other ICT providers?

ICT third-party providers are not financial entities, but if one is designated a Critical ICT Third-Party Provider it faces direct EU oversight, inspection powers, and penalties of up to 1% of average daily worldwide turnover. Others are reached indirectly through the contractual requirements DORA imposes on their financial clients.

DORA ICT Risk Applicability Checker

The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, sets a single ICT and cyber-resilience rulebook for the EU financial sector and applies from 17 January 2025. This checker maps your entity type to its DORA scope, tells you whether the full or simplified framework applies, and lists the obligations that follow.

How it works

Scope is driven by entity type. Most regulated financial entities are in scope; a few micro and small intermediaries are excluded, and a band of small, non-interconnected entities may use the simplified ICT risk framework under Article 16:

In scope (full):       banks, payment/e-money institutions, insurers, CASPs,
                       CSDs, CCPs, trading venues, fund managers
In scope (simplified): small non-interconnected investment firms, small IORPs,
                       crowdfunding providers
ICT provider:          oversight only if designated a Critical ICT Third-Party Provider
Excluded:              micro/SME insurance intermediaries, IORPs under 100 members

For in-scope entities the tool then lists DORA’s five pillars and marks which items are reduced under the simplified regime.

Notes and example

A small, non-interconnected investment firm is in scope but can run the simplified Article 16 framework, so its testing and information-sharing duties are lighter than a large bank’s full programme. A major cloud provider is not a financial entity and only faces direct DORA oversight if it is designated critical — otherwise it meets DORA through the contracts its financial clients are required to put in place. Exact proportionality depends on precise size and interconnectedness thresholds, so treat this as an educational screening and confirm borderline cases with your regulator or counsel. All processing stays in your browser.