Scope

Article 2 precisely delineates which organizations must comply with DORA. The regulation casts a wide net, capturing 21 different categories of financial entities. This includes traditional players such as credit institutions and investment firms, but also extends to newer entrants like crypto-asset service providers and crowdfunding platforms.

The scope reflects the interconnected nature of modern financial markets. Central counterparties, trade repositories, central securities depositories, and data reporting service providers are all included, recognizing that operational failures at these infrastructure nodes can cascade across the entire financial system.

A critical feature of Article 2 is the proportionality principle. DORA acknowledges that a large systemically important bank faces different ICT risks than a small payment institution. The regulation allows competent authorities to calibrate certain requirements based on the size, nature, scale, and complexity of an entity's activities. However, this proportionality does not exempt any in-scope entity from the core obligations.

The article also brings ICT third-party service providers within the regulatory perimeter, albeit through a separate oversight framework rather than direct regulation. This is a significant departure from previous approaches and reflects the systemic importance of cloud providers and technology vendors to the financial sector.