Applicability TestEU DORA

EU DORA Applicability Test

Decide whether DORA applies by checking the entity type, ICT service relationship, critical or important function, exclusion, and evidence record.

Built for financial institutions, ICT providers, outsourcing teams, procurement, security, legal, resilience, and product owners who need a documented scope decision before assigning DORA work.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 26, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
5

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 26, 2026
Overview

Use this applicability test to separate three questions that are often mixed together: whether the organisation is a DORA financial entity, whether an ICT provider relationship is relevant to that financial entity, and whether the service supports a critical or important function. The output should be a classification record that can feed the ICT risk framework, the third-party policy, the register of information, contract remediation, and supervisory evidence.

Section 1

Step 1: identify the DORA role before assigning obligations

DORA first applies by actor. Article 2 lists financial entities such as credit institutions, payment institutions, account information service providers, electronic money institutions, investment firms, crypto-asset service providers and issuers of asset-referenced tokens, central securities depositories, central counterparties, trading venues, trade repositories, AIF managers, management companies, data reporting service providers, insurance and reinsurance undertakings, insurance intermediaries, institutions for occupational retirement provision, credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, securitisation repositories, and ICT third-party service providers.

For a financial group, do not stop at the trading name. Record the regulated entity, branch or group entity, authorisation category, home competent authority, and the business service that uses ICT. For an ICT supplier, record whether it provides ICT services to one or more DORA financial entities, whether it is intra-group or external, and whether the service is direct or part of a subcontracting chain.

  • Classify the organisation as a DORA financial entity, an ICT third-party service provider, both, or out of scope on the facts reviewed.
  • For financial entities, map the exact Article 2 category rather than using broad labels such as fintech, insurer, fund, platform, or vendor.
  • For suppliers, capture the customer financial entity, the ICT service, the contracting entity, the service recipient, and any subcontractors that effectively support the service.
  • If the same group entity both consumes and provides ICT services, test the financial-entity obligations and the ICT-provider facts separately.
Sources for this answer
Regulation (EU) 2022/2554 (DORA)
Article 2 defines the financial entities in scope and includes ICT third-party service providers in the Regulation's scope.
Section 2

Step 2: check exclusions and proportionality before expanding the workstream

A DORA applicability test should record exclusions explicitly. Article 2 excludes certain AIF managers, certain insurance and reinsurance undertakings, pension institutions with schemes that together have no more than 15 members, persons exempted under specified MiFID II provisions, insurance and reinsurance intermediaries and ancillary insurance intermediaries that are microenterprises or SMEs, and post office giro institutions. Member States may also exclude specified credit-institution categories located in their territory.

A positive scope decision is not the same as a uniform control burden. DORA uses proportionality across ICT third-party risk, register work, and technical standards. The test should therefore classify the entity and service first, then scale evidence expectations by size, overall risk profile, and the nature, scale and complexity of services, activities, and operations.

  • Record the exclusion reviewed, the legal category relied on, and the evidence that supports or rejects the exclusion.
  • Do not use microenterprise, SME, group size, or low ICT maturity as a general exemption unless the cited DORA exclusion or framework actually supports it.
  • When DORA applies, document proportionality factors separately from the yes-or-no applicability result.
  • Reopen the decision when authorisation status, entity category, Member State treatment, group structure, or regulated activity changes.
Sources for this answer
Regulation (EU) 2022/2554 (DORA)
Article 2 lists exclusions and Article 28 applies proportionality to ICT third-party risk management.
Delegated Regulation (EU) 2024/1773 on ICT third-party contract policy
Article 1 requires the third-party policy to account for size, overall risk profile, and the nature, scale and complexity of the financial entity's services, activities, and operations.
Section 3

Step 3: decide whether the ICT service supports a critical or important function

The main operational fork is whether an ICT service supports a critical or important function. DORA defines that function as one whose disruption would materially impair financial performance, soundness or continuity of services and activities, or continued compliance with authorisation and financial-services obligations. This classification drives the register, third-party policy, contract clauses, monitoring, exit planning, and subcontractor evidence.

Use a service-by-service assessment. A cloud platform, data feed, managed security service, payment gateway, trading system, claims platform, identity system, core ledger, reporting tool, or support platform may be in a different category depending on the regulated activity it supports and the impact of disruption.

  • Name the business function, regulated activity, ICT service, ICT assets, information assets, service owner, and financial entity that depends on the service.
  • Assess impact on financial performance, service continuity, customer delivery, authorisation conditions, reporting obligations, and other financial-services legal duties.
  • Classify each service as supporting a critical or important function, not supporting one, or not yet assessed; do not leave high-reliance services unclassified.
  • Document alternative providers, substitutability, data sensitivity, location of processing and storage, concentration risk, and reliance level where the service supports a critical or important function.
Sources for this answer
Regulation (EU) 2022/2554 (DORA)
Article 3 defines critical or important function, ICT services, ICT third-party risk, and ICT third-party service provider.
Implementing Regulation (EU) 2024/2956 on DORA register templates
The register templates require criticality assessment, reasons for criticality, reliance, substitutability, and subcontractor supply-chain information for ICT services.
Section 4

Step 4: test ICT third-party and subcontracting relevance

For a financial entity, DORA requires ICT third-party risk to be managed as part of the ICT risk management framework. Before entering an ICT services contract, the financial entity must assess whether the arrangement supports a critical or important function, whether supervisory conditions are met, relevant risks, due diligence on the provider, and conflicts of interest. The register of information must cover contractual arrangements for ICT services and distinguish those supporting critical or important functions.

For subcontracting, the question is not only whether a named prime vendor is acceptable. The financial entity must be able to see whether subcontractors effectively underpin ICT services supporting critical or important functions, whether the provider can identify and notify those subcontractors, whether access and inspection rights flow through, and whether material subcontracting changes can be assessed before implementation.

  • For each provider, capture contract reference, direct provider, intra-group provider if any, subcontractors, service type, locations, data processed or stored, and the supported function.
  • Before approval, verify due diligence on provider resources, information security, risk management, internal controls, business continuity, incident response, audit access, and use of subcontractors.
  • For critical or important functions, check service levels, incident assistance, authority cooperation, TLPT cooperation where relevant, access and audit rights, exit strategy, transition period, and data return or transfer.
  • Escalate where the service is hard to substitute, concentrated in one provider or a small provider set, hosted or subcontracted through third countries, or dependent on a long or opaque subcontracting chain.
Sources for this answer
Regulation (EU) 2022/2554 (DORA)
Articles 28 to 30 set the core third-party risk, register, pre-contract assessment, concentration risk, and contract-provision requirements.
Delegated Regulation (EU) 2024/1773 on ICT third-party contract policy
The RTS specifies governance, lifecycle, risk assessment, due diligence, monitoring, documentation, exit, and senior-management responsibilities for ICT services supporting critical or important functions.
Delegated Regulation (EU) 2025/532 on subcontracting ICT services
The RTS specifies due diligence, risk assessment, monitoring, material-change notice, objection, and termination expectations for subcontracting ICT services supporting critical or important functions.
Section 5

Applicability evidence record

The result of the test should be usable without the person who made it. Store the decision as a short evidence record that states the scope conclusion, the facts reviewed, the source relied on, the controls or artifacts triggered, and the reassessment triggers. A useful record prevents two common errors: assigning DORA work to a vendor relationship that is not tied to a DORA financial entity, or missing a critical or important function because the contract was labelled as ordinary technology procurement.

The minimum evidence set should support both internal governance and supervisory review: entity classification, exclusion analysis, service mapping, criticality reasoning, provider and subcontractor identifiers, contract references, locations, data sensitivity, reliance and substitutability assessment, owner approval, and the register-of-information row or reason why no row is required.

Does DORA apply to every technology supplier used by a financial business?

No. The supplier analysis starts with an in-scope financial entity and an ICT service relationship. The strongest DORA third-party obligations arise where the ICT service supports a critical or important function, although the financial entity's register and ICT risk framework can still require documentation for broader ICT service arrangements.

Can a provider certificate or ISO control report decide DORA applicability?

No. Certificates and audit reports may support due diligence, but the applicability decision must still classify the financial entity, ICT service, supported function, provider relationship, subcontracting chain, and DORA source basis.

What should be marked blocked in a DORA applicability review?

Mark the decision blocked when the team cannot identify the regulated entity category, the customer financial entity, the service recipient, the supported function, the ICT service supply chain, the contract owner, or the evidence needed to decide whether a critical or important function is supported.

  • Decision: in scope as financial entity, in scope as ICT third-party service provider, relevant provider to an in-scope financial entity, excluded, or not enough evidence.
  • Facts: Article 2 category, exclusion reviewed, regulated activity, ICT service, supported function, contract owner, provider, subcontractor chain, data location, processing location, and group context.
  • Criticality: disruption impact, compliance impact, reliance level, substitutability, concentration risk, and reasons for the critical or important function classification.
  • Triggered artifacts: ICT risk framework update, third-party policy review, register-of-information entry, contract clause gap list, subcontractor assessment, exit plan, audit plan, incident process link, or TLPT dependency check.
  • Review triggers: new or changed regulated activity, new financial-entity customer, provider or subcontractor change, material service-level change, new processing or storage country, function becoming critical or important, or authority request.
Sources for this answer
Implementing Regulation (EU) 2024/2956 on DORA register templates
The ITS grounds the evidence fields for provider identifiers, supply chains, function criticality, reliance, substitutability, and register data quality.
Delegated Regulation (EU) 2024/1502 on critical ICT third-party provider designation
The RTS shows how register data, financial-entity reliance, critical or important functions, systemic impact, subcontractor dependence, and substitutability feed critical provider designation.
Recommended next step

Create a DORA scope record your teams can reuse

Sorena can help convert the DORA applicability facts on this page into a cited classification record, third-party evidence request, register input, and reassessment workflow.

Research workflow
Open Research Copilot for EU DORA

Ask source-linked questions about DORA scope, ICT third-party services, critical or important functions, register evidence, and subcontracting dependencies.

Explore next step
Talk to Sorena
Talk through implementation

Review a DORA applicability test, provider map, evidence gap, or register-of-information workflow with Sorena.

Explore next step
Primary sources

References and citations

Delegated Regulation (EU) 2025/532 on subcontracting ICT services
eur-lex.europa.eu
Referenced sections
  • The RTS specifies due diligence, risk assessment, monitoring, material-change notice, objection, and termination expectations for subcontracting ICT services supporting critical or important functions.
"subcontracting ICT services supporting critical or important functions"
Regulation (EU) 2022/2554 (DORA)
eur-lex.europa.eu
Referenced sections
  • Articles 28 to 30 set the core third-party risk, register, pre-contract assessment, concentration risk, and contract-provision requirements.
"manage ICT third-party risk"
Related guides

Explore more topics

DORA Critical or Important Functions: mapping ICT dependencies and evidence
How DORA critical or important functions affect ICT service mapping, third-party contracts, register-of-information records, incidents, testing, and evidence.
DORA deadlines and compliance calendar for financial entities
Calendar the grounded DORA dates and recurring evidence: 17 January 2025 application, incident reporting clocks, register updates, annual reporting, TLPT cadence, and CTPP oversight milestones.
DORA ICT Third-Party Contract Remediation Workflow
A DORA workflow for remediating ICT third-party contracts covering critical or important functions, subcontracting, audit rights, exits, register updates, and evidence.
DORA ICT Third-Party Contracts FAQ
What DORA requires in ICT third-party contracts, including critical or important functions, audit and access rights, termination, exit, subcontracting, register updates, and evidence.
DORA ICT third-party risk and contract clauses guide
Source-grounded DORA guide for financial entities in scope, ICT third-party risk, contract clauses, subcontracting controls, register evidence, audit rights, exit planning, and oversight.
DORA incident classification forms: criteria, fields, and reporting clocks
Grounded guide to DORA ICT incident classification forms: major-incident criteria, significant cyber-threat notifications, report fields, time limits, evidence, and reclassification records.
DORA incident clock workflow: classification, reports, deadlines, and evidence
Grounded DORA workflow for starting the major-incident reporting clock, classifying ICT incidents, submitting initial, intermediate, and final reports, and preserving authority evidence.
DORA major ICT incident reporting: classification, reports, and timing
Source-grounded DORA guide to major ICT-related incident classification, initial notifications, intermediate and final reports, competent authority routing, and significant cyber threat notifications.
DORA major ICT incident thresholds: what triggers reporting?
FAQ on DORA major ICT-related incident classification thresholds, recurring incidents, reporting triggers, and evidence inputs grounded in EU DORA RTS and ITS texts.
DORA Register of Information FAQ: ICT Third-Party Arrangements
FAQ on the DORA register of information: who maintains it, which ICT third-party arrangements it covers, template fields, critical functions, reporting, data quality, and evidence.
DORA Register of Information Import and Build Workflow
Build a DORA register of information from procurement, vendor, contract, service, function, and subcontractor data using the official register templates and validation checks.
DORA Register of Information Template: ICT Provider Fields and Evidence
A grounded DORA register of information template for ICT third-party contracts, provider hierarchy, critical functions, dates, statuses, reporting, and evidence.
DORA TLPT selection: who can be required to test?
FAQ on DORA threat-led penetration testing selection: who identifies financial entities, what criteria are used, what the TLPT authority validates, and what evidence to keep.
DORA vs EBA outsourcing guidelines: ICT third-party risk comparison
Compare binding DORA ICT third-party risk duties with the EBA/ESA outsourcing baseline for registers, critical functions, contracts, subcontracting, exit, incident reporting, and evidence.
DORA vs ISO 22301: ICT resilience and business continuity compared
Compare DORA's binding ICT operational resilience duties for financial entities with ISO 22301's business continuity management system requirements.
DORA vs ISO/IEC 27001: legal ICT resilience obligations and ISMS controls
Compare EU DORA and ISO/IEC 27001 across scope, governance, incident reporting, testing, ICT third-party risk, certification, evidence, overlap, and gaps.
DORA vs NIS2: financial-sector obligations, overlap, and evidence
Compare DORA and NIS2 for financial entities, ICT providers, incident reporting, management accountability, third-party risk, supervisory routes, and reusable evidence.
DORA vs PSD2 incident reporting: major ICT and payment incidents
Compare DORA major ICT-related incident reporting with PSD2 major operational or security payment incident reporting, including scope, triggers, report stages, recipients, and evidence.
EU DORA Compliance Checklist for Financial Entities
A source-grounded DORA checklist covering ICT risk governance, major incident reporting, resilience testing, TLPT, ICT third-party contracts, register-of-information records, and audit evidence.
EU DORA Compliance Obligations and Evidence Guide
A source-grounded DORA compliance guide covering ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, registers, governance, oversight, and evidence.
EU DORA FAQ: scope, incidents, ICT contracts, testing, and evidence
Concise DORA FAQ covering who is in scope, proportionality, ICT third-party contracts, register-of-information records, major ICT incident thresholds and reporting, TLPT, testing, enforcement, and evidence.
EU DORA ICT risk management control baseline
A source-grounded DORA control baseline for ICT risk governance, asset and dependency mapping, protection, detection, response, recovery, testing, third-party risk, and evidence.
EU DORA ICT subcontracting chain controls for critical functions
DORA guide to ICT subcontracting chains for critical or important functions: prior assessment, contract conditions, register fields, monitoring, exit rights, and evidence.
EU DORA penalties and fines: enforcement powers and limits
Grounded guide to DORA enforcement: competent-authority powers, administrative penalties, remedial measures, publication rules, and Lead Overseer penalty payments for critical ICT third-party providers.
EU DORA Register of Information Data Model: templates, fields, and evidence
Field-level guide to the EU DORA register of information data model: templates B_01 to B_07, provider identifiers, contract links, subcontracting chains, critical-function assessments, dates, and export evidence.
EU DORA Requirements Overview: ICT risk, incidents, testing, and third-party risk
A grounded overview of the main EU DORA requirements for financial entities: governance, ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, register of information, oversight, proportionality, and evidence.
EU DORA Scope and Covered Entities: financial entities and ICT providers
Classify whether DORA applies to a financial entity, ICT third-party provider, group arrangement, branch, or critical ICT service dependency.
EU DORA Scope and Proportionality Workflow
Classify DORA covered entities, simplified-framework status, critical or important functions, ICT dependencies, evidence records, and governance approvals.
EU DORA testing and TLPT readiness guide
A grounded DORA guide for resilience testing, TLPT eligibility, authority interaction, test evidence, remediation plans, and avoiding unsupported testing cadence.
EU DORA TLPT eligibility workflow for financial entities
Check how DORA TLPT authorities identify financial entities for threat-led penetration testing and what evidence supports scope, readiness, providers, and governance.
EU DORA TLPT Runbook: scope, providers, reports, and remediation
Build a DORA threat-led penetration testing runbook around authority coordination, scope validation, provider controls, active testing, closure reports, remediation, and attestation.
How does proportionality work under EU DORA?
A grounded FAQ on DORA proportionality: what can be scaled, who may use the simplified ICT risk framework, what evidence supports the decision, and which duties cannot be waived.
How to build a DORA register of information
Build a DORA register of information from contracts, ICT services, providers, functions, subcontractors, risk assessments, audit evidence, exit plans, and export checks.