All eyes in the financial services industry are slowly turning towards the EU's Digital Operational Resilience Act (DORA), which will be applicable from 17 January 2025 and will impose different types of principles and requirements on financial entities and their third-party technology providers. Aiming to strengthen the IT security of financial entities such as banks, insurance companies and investment firms, the regulation comprehensively covers areas of ICT risk management, digital operational resilience testing, information sharing and oversight of critical third-party providers, amongst other functions.
But none of that matters unless a financial entity falls under the scope of DORA.
Despite being rather generous in its scope and attempting to include the vast majority of different services in the industry, each firm must meet certain requirements to be accurately classified, and to determine whether its operations need to comply with the act or not.
How DORA defines each financial entity
In the DORA itself, the different types of financial entities are laid out, referencing definitions across various other European Directives and Regulations.
Under Article 3 of the Regulation, the following definitions are applicable for each type of financial entity (all parts in italics directly reference the definition in each associated Directive or Regulation):
(31) 'credit institution' means a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council ( 32);
- 'credit institution' means an undertaking the business of which is to take deposits or other repayable funds from the public and to grant credits for its own account;
(33) 'investment firm' means an investment firm as defined in Article 4(1), point (1), of Directive 2014/65/EU;
- 'investment firm' means any legal person whose regular occupation or business is the provision of one or more investment services to third parties and/or the performance of one or more investment activities on a professional basis
(34) 'small and non-interconnected investment firm' means an investment firm that meets the conditions laid out in Article 12(1) of Regulation (EU) 2019/2033 of the European Parliament and of the Council ( 33);
- Investment firms shall be deemed to be small and non‐interconnected investment firms for the purposes of this Regulation where they meet all of the following conditions:
-
- (a) Assets under management (AUM) measured in accordance with Article 17 is less than EUR 1,2 billion;
- (b) Client orders handled (COH) measured in accordance with Article 20 is less than either:
-
- (i) EUR 100 million/day for cash trades; or
- (ii) EUR 1 billion/day for derivatives;
- (c) Assets Safeguarded and Administered (ASA) measured in accordance with Article 19 is zero;
- (d) Client Money Held (CMH) measured in accordance with Article 18 is zero;
- (e) Daily Trading Flow (DTF) measured in accordance with Article 33 is zero;
- (f) Net Position Risk (NPR) or Clearing Margin Given (CMG) measured in accordance with Articles 22 and 23 is zero;
- (g) Trading Counterparty Default (TCD) measured in accordance with Article 26 is zero;
- (h) The on‐ and off‐balance‐sheet total of the investment firm is less than EUR 100 million;
- (i) The total annual gross revenue from investment services and activities of the investment firm is less than EUR 30 million, calculated as an average on the basis of the annual figures from the two‐year period immediately preceding the given financial year.
(35) 'payment institution' means a payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366;
- 'payment institution' means a legal person that has been granted authorisation in accordance with Article 11 to provide and execute payment services throughout the Union
(36) 'payment institution exempted pursuant to Directive (EU) 2015/2366' means a payment institution exempted pursuant to Article 32(1) of Directive (EU) 2015/2366;
- Member States may exempt or allow their competent authorities to exempt, natural or legal persons providing payment services as referred to in points (1) to (6) of Annex I from the application of all or part of the procedure and conditions set out in Sections 1, 2 and 3, with the exception of Articles 14, 15, 22, 24, 25 and 26, where:
-
- the monthly average of the preceding 12 months' total value of payment transactions executed by the person concerned, including any agent for which it assumes full responsibility, does not exceed a limit set by the Member State but that, in any event, amounts to no more than EUR 3 million. That requirement shall be assessed on the projected total amount of payment transactions in its business plan, unless an adjustment to that plan is required by the competent authorities; and
- none of the natural persons responsible for the management or operation of the business has been convicted of offences relating to money laundering or terrorist financing or other financial crimes.
(37) 'account information service provider' means an account information service provider as referred to in Article 33(1) of Directive (EU) 2015/2366;
- Natural or legal persons providing only the payment service as referred to in point (8) of Annex I shall be exempt from the application of the procedure and conditions set out in Sections 1 and 2, with the exception of points (a), (b), (e) to (h), (j), (l), (n), (p) and (q) of Article 5(1), Article 5(3) and Articles 14 and 15. Section 3 shall apply, with the exception of Article 23(3).
(38) 'electronic money institution' means an electronic money institution as defined in Article 2, point (1), of Directive 2009/110/EC of the European Parliament and of the Council;
- 'electronic money institution' means a legal person that has been granted authorisation under Title II to issue electronic money;
(39) 'electronic money institution exempted pursuant to Directive 2009/110/EC' means an electronic money institution benefitting from a waiver as referred to in Article 9(1) of Directive 2009/110/EC;
- Member States may waive or allow their competent authorities to waive the application of all or part of the procedures and conditions set out in Articles 3, 4, 5 and 7 of this Directive, with the exception of Articles 20, 22, 23 and 24 of Directive 2007/64/EC, and allow legal persons to be entered in the register for electronic money institutions if both of the following requirements are complied with:
-
- A) the total business activities generate an average outstanding electronic money that does not exceed a limit set by the Member State but that, in any event, amounts to no more than EUR 5 000 000; and
- B) none of the natural persons responsible for the management or operation of the business has been convicted of offences relating to money laundering or terrorist financing or other financial crimes.
(41) 'trade repository' means a trade repository as defined in Article 2, point (2), of Regulation (EU) No 648/2012;
- 'trade repository' means a legal person that centrally collects and maintains the records of derivatives;
(42) 'central securities depository' means a central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014;
- 'central securities depository' or 'CSD' means a legal person that operates a securities settlement system referred to in point (3) of Section A of the Annex and provides at least one other core service listed in Section A of the Annex;
(43) 'trading venue' means a trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU;
- 'trading venue' means a regulated market, an MTF or an OTF;
(45) 'management company' means a management company as defined in Article 2(1), point (b), of Directive 2009/65/EC;
- 'management company' means a company, the regular business of which is the management of UCITS in the form of common funds or of investment companies (collective portfolio management of UCITS);
(60) 'microenterprise' means a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million;
(63) 'small enterprise' means a financial entity that employs 10 or more persons, but fewer than 50 persons, and has an annual turnover and/or annual balance sheet total that exceeds EUR 2 million, but does not exceed EUR 10 million;
(64) 'medium-sized enterprise' means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million.
Conclusion
Its of the outmost importance to first determine whether a company actually falls within the legal definitions of DORA before proceeding to conduct a gap assessment which would enable identification of key areas of compliance required for staying in line with the regulation. If you are interested in finding out more about DORA and whether your firm falls under its requirements, our team of experts can help you navigate the regulatory landscape.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.