To ensure consistency across the financial system, the Regulation will apply to a number of EU regulated financial institutions, including credit institutions, payment institutions, securities dealers, insurance companies including intermediaries, etc. It will also apply to third party ICT service providers. Under the proposal, this category will include in particular cloud service providers, software, data centres and others. For example, some operators of payment systems with irrevocable settlement will not be included under DORA.
Which subjects are affected by DORA?
The Regulation applies to a number of financial institutions regulated by the EU, including credit institutions, payment institutions, securities dealers, insurance companies, etc. It will also apply to ICT service providers. This category includes, for example, suppliers of cloud services, software, data centres. On the other hand, certain operators of payment and credit card systems are exempted. In particular, micro-enterprises (up to 10 persons, with an annual turnover of less than EUR 2 million) are granted significant relief from some obligations. For example, they are not obliged to establish, maintain and review a so-called comprehensive digital operational resilience testing programme.
The BDO approach
If your organization follows the Dora Directive, we can provide audit work and verify the correct setup of the Dora requirements. If you would like to bring your organization into Dora compliance, we can help you with the complete A to Z implementation process.