Financial Entity (DORA)

A financial entity is the broad category of organisations subject to DORA. The category spans a wide spectrum from traditional banks and insurance undertakings to newer players such as crypto-asset service providers. All financial entities are subject to DORA's requirements for ICT risk management and digital operational resilience.

Back to Dictionary

Table of Contents

    Which organisations are financial entities?

    DORA Article 2 defines the scope. The following types of organisations are financial entities under DORA:

    • Credit institutions: Banks and other credit institutions authorised under EU banking legislation.
    • Payment institutions: Including electronic money institutions regulated under the Payment Services Directive.
    • Account information service providers
    • Investment firms
    • Crypto-asset service providers (CASPs): Regulated under MiCA (Markets in Crypto-Assets Regulation).
    • Issuers of asset-referenced tokens
    • Central securities depositories
    • Central counterparties (CCPs)
    • Trading venues
    • Trade repositories
    • Managers of alternative investment funds (AIFMs)
    • Management companies for UCITS
    • Insurance and reinsurance undertakings: Covering the full range of insurance and reinsurance activities.
    • Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
    • Institutions for occupational retirement provision (IORPs)
    • Credit rating agencies
    • Administrators of critical benchmarks
    • Crowdfunding service providers
    • Securitisation repositories

    Exemptions and simplifications

    DORA contains certain exemptions and simplified requirements:

    • Micro-enterprises: Financial entities with fewer than 10 employees and under EUR 2 million in turnover or balance sheet total are subject to simplified requirements under DORA.
    • Certain insurance intermediaries: Exempted from certain provisions based on their size.
    • Public bodies: Certain public institutions are exempted from DORA's scope.


    ICT third-party service providers are not financial entities:     ICT third-party service providers to the financial sector are not themselves financial entities under DORA. They are instead subject to DORA's rules on ICT third-party risk, and the most systemically important may be designated as critical ICT third-party service providers subject to direct EU oversight.

    What are the obligations for financial entities?

    All financial entities must comply with DORA's requirements across its five pillars: ICT risk management, incident reporting, digital operational resilience testing, third-party risk management and information sharing. The extent of the obligations is subject to the proportionality principle, meaning that smaller and less complex entities face less onerous requirements.

    Frequently Asked Questions about Financial Entity (DORA)

    What is a financial entity under DORA?

    A financial entity is any organisation falling within the scope of DORA Article 2. This includes banks, payment institutions, investment firms, insurance undertakings, pension funds, crypto-asset service providers and many other types of regulated financial organisations.

    Is my fintech start-up subject to DORA?

    It depends on whether your fintech is regulated as a financial entity under EU financial legislation. Payment institutions, electronic money institutions and crypto-asset service providers are all financial entities under DORA. Check which regulatory status your business holds.

    Are ICT service providers financial entities under DORA?

    No. ICT third-party service providers to the financial sector are not themselves financial entities. They are subject to DORA's rules on ICT third-party risk, and the most systemically important may be designated as critical ICT third-party service providers subject to direct EU oversight.

    Do micro-enterprises have to comply with DORA?

    Yes, but DORA applies simplified requirements to micro-enterprises (fewer than 10 employees and under EUR 2 million in turnover or balance sheet total). They are not fully exempt but face less onerous obligations.

    When did DORA become applicable to financial entities?

    DORA has applied since 17 January 2025. All financial entities within its scope must already comply with the regulation's requirements for ICT risk management, incident reporting and resilience testing.

    +400 companies use .legal
    Region Sjælland
    Aarhus Universitet
    aj_vaccines_logo
    Realdania
    Right People
    IO Gates
    PLO
    Finans Danmark
    geia-food
    Vestforbrænding
    Evida
    Klasselotteriet
    NRGI1
    BLUE WATER SHIPPING
    Karnov
    Ingvard Christensen
    VP Securities
    AH Industries
    Lægeforeningen
    InMobile
    AK Nygart
    ARP Hansen
    DEIF
    DMJX
    Axel logo
    qUINT Logo
    KAUFMANN (1)
    SMILfonden-logo
    kurhotel_skodsborg
    nemlig.com
    Molecule Consultancy
    Novicell
    Footer topswirl

    Info

    .legal A/S

    hello@dotlegal.com
    +45 7027 0127

    VAT-no: DK40888888

    Support

    support@dotlegal.com
    +45 7027 0127
    Need help?

     

    Office

    Aarhus

    Store Torv 14, 2.
    8000 Aarhus C

    We care about safety

    Download our declarations

    ISAE 3000

    ISAE 3402

    Modules

    Let me help you get started

    joa i blob
    Reach out to me on phone
    +45 7027 0127 and I'll get you started
    arrow-right-white Get a demo

    .legal is not a law firm and is therefore not under the supervision of the Bar Council.

    Footer bottomswirl