Artifact GuideEU

EU DORA Scope & Covered Entities

A defensible way to decide if DORA applies to you - and what layer applies.

Built for regulators and audits: scope memo, evidence inputs, and owner assignments.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 23, 2026
Updated
Feb 23, 2026
Sections
6

Structured answer sets in this page tree.

Primary sources
1

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 23, 2026
Updated Feb 23, 2026
Overview

DORA scope is not a vibe-check. It's a written classification of (1) whether you are a covered financial entity under Article 2, (2) what proportionality/simplified framework applies, and (3) which services in your group are in scope (entity, sub-consolidated and consolidated). This page helps you produce a scope memo you can defend and maintain as your business evolves.

Section 1

What DORA covers (and why scope matters operationally)

DORA is a sector-specific operational resilience regulation for the financial sector. Its workstreams are concrete: ICT risk management controls, ICT incident management and reporting, resilience testing including TLPT, and ICT third-party risk governance.

Scope decisions drive the cost profile of compliance. For example: TLPT readiness, incident reporting pipelines, and register of information build-outs are not "optional" once in scope.

  • Treat scope as a living artifact: update it when entity type, licensing, or group structure changes.
  • Run scope per entity and per group layer: entity-level plus sub-consolidated/consolidated registers and governance where required.
  • Ship a scope memo: service facts -> classification -> obligations -> owners -> evidence.
Recommended next step

Use EU DORA Scope & Covered Entities as a cited research workflow

Research Copilot can take EU DORA Scope & Covered Entities from clarifying scope and applicability with cited answers to a reusable workflow inside Sorena. Teams working on EU DORA can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Research workflow
Open Research Copilot for EU DORA Scope & Covered Entities

Start from EU DORA Scope & Covered Entities and answer scope, timing, and interpretation questions with cited outputs.

Explore next step
Talk to Sorena
Talk through EU DORA

Review your current process, evidence gaps, and next steps for EU DORA Scope & Covered Entities.

Explore next step
Section 2

Step 1 - Are you a covered financial entity (Article 2)?

DORA's primary scope is financial entities listed in Article 2. Start by identifying your authorization/licensing category and map it to the Article 2 list.

Many organizations have multiple regulated entities (bank + investment firm + payment services). Scope each regulated entity separately, then build a group view.

  • Identify your legal entities and licenses; map each to a covered category in Article 2.
  • Document competent authority and supervisory perimeter per entity (useful for incident reporting routing).
  • Record what you are not: if you're not a covered financial entity, you may still be impacted as an ICT third-party provider supporting critical or important functions.
Section 3

Step 2 - Proportionality and simplified frameworks (what can be scaled down)

DORA is explicit about proportionality. Requirements are applied considering the nature, scale, complexity and risk profile of the entity and its ICT dependencies.

Some entities can use simplified ICT risk management frameworks and reduced testing requirements; document the basis for the simplification.

  • Define your proportionality basis: size, business model, criticality of services, and ICT dependency profile.
  • Document simplified controls: what is simplified, what is not, and why the residual risk is acceptable.
  • Keep "proportionality evidence": risk assessments, management body decisions, and review cadence.
Section 4

Step 3 - Group-level scope: entity vs sub-consolidated vs consolidated

DORA third-party risk governance and the register of information explicitly operate at multiple levels: entity level and (where relevant) sub-consolidated and consolidated levels.

This is where programs fail if the operating model is unclear: procurement and vendor management often sit centrally while supervision is entity-based.

  • Define a group operating model: who owns the central policy vs entity-specific implementation.
  • Maintain the register of information at entity level and, where required, at sub-consolidated and consolidated levels.
  • Plan a supervisory response model: which authority asks for which register section and who can produce it quickly.
Section 5

Step 4 - ICT third-party providers and the "critical provider" layer

DORA also creates an EU oversight framework for critical ICT third-party service providers (CTPPs). Even if you're not a financial entity, you can be impacted if you provide ICT services supporting critical or important functions for in-scope entities.

Financial entities must manage third-party risk and maintain a register of information covering all contractual arrangements for ICT services.

  • Financial entities: implement ICT third-party risk strategy, contractual minimum clauses, concentration risk assessments, and exit plans; keep the register of information.
  • ICT providers: be prepared for contractual clauses aligned to DORA RTS and, if designated critical, oversight interactions and requirements.
  • Program implication: procurement/legal/security must align on contract playbooks and evidence artifacts.
Section 6

Scope memo template (copy/paste)

A scope memo is a short document you update over time. It is your single source of truth for: what applies, to whom, and what program owners must deliver.

Use this structure to avoid ambiguity and scope drift.

  • 1) Entity inventory: legal entities, licenses, supervisors, and covered category mapping (Article 2).
  • 2) Service inventory: critical/important functions and ICT-supported business functions; key ICT dependencies.
  • 3) Proportionality statement: simplified framework decisions and rationale.
  • 4) Obligation map: ICT risk controls (Chapter II), incident reporting (Chapter III), testing/TLPT (Chapter IV), third-party risk + register (Chapter V).
  • 5) Owner map: RACI for each workstream; evidence pack location and retrieval process.
  • 6) Change triggers: what changes force re-scoping (new product, new license, new outsourcing model).
Primary sources

References and citations

Regulation (EU) 2022/2554 (DORA) - Official Journal
eur-lex.europa.eu
Referenced sections
  • Primary legal text for DORA scope (Article 2) and the layered compliance workstreams: ICT risk management, incident reporting, testing/TLPT, and ICT third-party risk including the register of information (Article 28).
Related guides

Explore more topics

DORA Applicability Test | Is EU DORA Applicable to Your Entity?
A step-by-step EU DORA applicability test (Regulation (EU) 2022/2554): determine if you are a covered financial entity under Article 2.
DORA FAQ (EU) - Scope, Deadlines, Reporting, TLPT, RoI, and Third-Party Risk
High-signal answers to the most searched DORA questions: who is in scope, when DORA applies (17 Jan 2025), what "critical or important functions" means.
DORA ICT Risk Management Control Baseline | Chapter II + RTS 2024/1774
A deep DORA ICT risk management baseline: how to implement Chapter II of Regulation (EU) 2022/2554 as controls with acceptance criteria and evidence.
DORA ICT Third-Party Risk Management + Contract Clauses | Article 28-30 + RTS 2024/1773 + RTS 2025/532
A deep guide to DORA ICT third-party risk: build the third-party risk strategy (Article 28), implement due diligence + ongoing monitoring.
DORA Major ICT Incident Reporting | Articles 17-20 + RTS 2024/1772 + 2025/301
A practical DORA major incident reporting guide: build the Article 17 and 19 workflow, apply RTS 2024/1772 classification and RTS 2025/301 timing rules.
DORA Penalties, Fines, and Enforcement | Articles 50-55 + Oversight Penalty Payments
A practical DORA enforcement guide: how competent authorities' supervisory/investigatory/sanctioning powers work (Article 50).
DORA Register of Information (RoI) - How to Build It | Article 28 + ITS 2024/2956
Build an audit-ready DORA Register of Information (RoI): define scope and relational keys.
DORA Register of Information (RoI) Template Guide | ITS 2024/2956 Annex Templates (B_01-B_07)
A practical guide to the DORA Register of Information templates: understand the ITS schema (Implementing Regulation (EU) 2024/2956).
DORA Testing & TLPT Readiness | Chapter IV + TIBER-EU Execution Guide
A deep DORA testing and TLPT readiness guide: build the Chapter IV testing program, prepare remediation and validation.
DORA vs ISO/IEC 27001:2022 | Mapping Controls, Evidence, and Audit Readiness
A deep DORA vs ISO 27001 comparison: where ISO/IEC 27001:2022 helps satisfy DORA ICT risk management and evidence expectations.
DORA vs NIS2 (EU) | Scope, Reporting, Controls, and Overlap for Financial Entities
A deep comparison of DORA and NIS2: who is in scope, what "security measures" mean, incident reporting differences, governance and enforcement posture.
EU DORA Checklist | DORA Compliance Checklist (Audit-Ready)
An audit-ready EU DORA checklist (Regulation (EU) 2022/2554): scope memo and proportionality, ICT risk management control baseline.
EU DORA Compliance Guide | DORA Implementation Playbook
A practical EU DORA compliance guide (Regulation (EU) 2022/2554): how to set up a DORA program, build an ICT risk management control baseline.
EU DORA Deadlines & Compliance Calendar | Key Dates, RTS/ITS and Cadence
A DORA compliance calendar for Regulation (EU) 2022/2554: publication, entry into force, application date, key RTS and ITS including 2024/2956, 2025/301.
EU DORA Requirements | Obligations by Workstream (ICT Risk, Incidents, TLPT, Third Parties)
A practical breakdown of EU DORA (Regulation (EU) 2022/2554) requirements: ICT risk management framework (Chapter II).