Source: OJ L 333, 27.12.2022, p. 1–79

Current language: EN

Article 2 Scope


Summary What does Article 2 of the DORA regulation say?

This is the foundational scope article for DORA, establishing which entities the regulation applies to.

It casts a wide net across the financial sector, covering a broad range of entities from credit institutions and payment firms through to crypto-asset service providers, insurance intermediaries, and ICT third-party service providers.

Crucially, the article also carves out a number of exclusions, meaning that certain smaller or otherwise exempt entities falling within those same categories will not be subject to the regulation.

Member States are additionally given discretion to exclude certain entities located in their territory, with a transparency obligation to inform the Commission of any such decision.

Important points:

  • DORA applies to a wide range of financial sector entities, collectively referred to as "financial entities," as well as ICT third-party service providers.
  • Certain entities are explicitly excluded from scope, including very small insurance intermediaries that qualify as microenterprises or small and medium-sized enterprises, and institutions for occupational retirement provision with no more than 15 members.
  • Member States have the option to exclude certain nationally-located entities from scope, but must notify the Commission and ensure that information is made publicly available.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. Without prejudice to paragraphs 3 and 4, this Regulation applies to the following entities:

      1. credit institutions;

      2. payment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366;

      3. account information service providers;

      4. electronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC;

      5. investment firms;

      6. crypto-asset service providers as authorised under a Regulation of the European Parliament and of the Council on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (‘the Regulation on markets in crypto-assets’) and issuers of asset-referenced tokens;

      7. central securities depositories;

      8. central counterparties;

      9. trading venues;

      10. trade repositories;

      11. managers of alternative investment funds;

      12. management companies;

      13. data reporting service providers;

      14. insurance and reinsurance undertakings;

      15. insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;

      16. institutions for occupational retirement provision;

      17. credit rating agencies;

      18. administrators of critical benchmarks;

      19. crowdfunding service providers;

      20. securitisation repositories;

      21. ICT third-party service providers.

    1. For the purposes of this Regulation, entities referred to in paragraph 1, points (a) to (t), shall collectively be referred to as ‘financial entities’.

    1. This Regulation does not apply to:

      1. managers of alternative investment funds as referred to in Article 3(2) of Directive 2011/61/EU;

      2. insurance and reinsurance undertakings as referred to in Article 4 of Directive 2009/138/EC;

      3. institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total;

      4. natural or legal persons exempted pursuant to Articles 2 and 3 of Directive 2014/65/EU;

      5. insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are microenterprises or small or medium-sized enterprises;

      6. post office giro institutions as referred to in Article 2(5), point (3), of Directive 2013/36/EU.

    1. Member States may exclude from the scope of this Regulation entities referred to in Article 2(5), points (4) to (23), of Directive 2013/36/EU that are located within their respective territories. Where a Member State makes use of such option, it shall inform the Commission thereof as well as of any subsequent changes thereto. The Commission shall make that information publicly available on its website or other easily accessible means.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod