DORA applies to a wide range of financial entities including credit institutions, electronic money institutions, payment institutions, investment firms, fund managers, insurance and reinsurance undertakings and intermediaries as well as institutions for occupational retirement provision, credit rating agencies and administrators of critical benchmarks (in-scope entities). Most importantly, the scope of DORA requirements also cover ICT Third-Party Service Providers (TPPs).

DORA applies to a broader range of contracts as it applies to the use of ‘ICT Services’ which are defined as digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis including hardware as a service and hardware services which include the provision of technical support via software or firmware updates by the hardware provider.

All entities in scope need to comply with DORA requirements as of 17 January 2025.