A source-grounded workflow for deciding whether an entity is covered by DORA, whether the simplified ICT risk management framework is available, and how proportionality changes the evidence expected.
Use it to connect covered-entity classification, critical or important functions, ICT service dependencies, register-of-information evidence, TLPT considerations, and management-body approvals.
Structured answer sets in this page tree.
Cited legal and guidance references.
DORA scope work should not stop at naming a licence category. A durable assessment records whether the organisation is a financial entity listed in DORA Article 2, whether an exclusion or Member State option is relevant, whether Article 16 simplified ICT risk management applies, and how the size, risk profile, services, activities, operations, ICT assets, third-party services, and critical or important functions affect implementation.
Start with the legal perimeter. DORA applies to the financial-entity categories listed in Article 2, including credit institutions, payment institutions, account information service providers, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, trade repositories, fund managers, management companies, data reporting service providers, insurance and reinsurance undertakings, insurance intermediaries, institutions for occupational retirement provision, credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, and securitisation repositories. Article 2 also lists ICT third-party service providers separately from the financial-entity categories.
Then record exclusions and boundary questions. Article 2 excludes several categories, including certain AIFMs, certain insurance and reinsurance undertakings, IORPs operating pension schemes with no more than 15 members in total, persons exempted under MiFID II Articles 2 and 3, insurance intermediaries that are microenterprises or SMEs, and post office giro institutions. It also lets Member States exclude specified CRD-exempt entities located in their territory.
After the entity is in scope, check whether it belongs to the Article 16 simplified-framework population. DORA lists small and non-interconnected investment firms, exempted payment institutions, certain CRD-exempt institutions where the Member State has not excluded them under Article 2(4), exempted electronic money institutions, and small institutions for occupational retirement provision.
Do not treat simplified as no work. Article 16 still requires a documented ICT risk management framework, monitoring of ICT systems, resilient and updated ICT tools, prompt detection and handling of incidents, identification of key ICT third-party dependencies, continuity of critical or important functions, testing of continuity measures and controls, and use of test and incident conclusions in ICT risk assessment.
Article 4 makes proportionality a method for implementing DORA obligations, not a shortcut for avoiding them. The assessment should explain how size, overall risk profile, and the nature, scale and complexity of services, activities and operations affect the detail, frequency, testing depth, audit focus, and management reporting used for Chapters II, III, IV and Chapter V Section I.
Use proportionality consistently. If the organisation uses a lighter control, shorter report, less frequent review, or smaller evidence sample, the record should explain the risk-based reason and identify which critical or important functions, ICT assets, information assets, and ICT third-party dependencies were considered.
The workflow should classify functions before it classifies suppliers. DORA defines a critical or important function as one whose disruption would materially impair the financial entity's financial performance, soundness or continuity of services and activities, or continuing compliance with authorisation and financial-services-law obligations.
For each critical or important function, identify the supporting business owner, ICT systems, information assets, ICT assets, direct ICT third-party service providers, intra-group ICT service providers, subcontractors that effectively underpin the service, locations where services and data are provided or processed, concentration risks, substitutability, exit options, and continuity impact.
The final output should be a scope and proportionality record that can be reused for the ICT risk management framework, incident process, testing programme, third-party risk strategy, register of information, contract policy, subcontracting approvals, and TLPT scoping where applicable.
Where TLPT is relevant, do not self-designate only from internal preference. DORA and the TLPT RTS rely on competent-authority identification and consider impact on the financial sector, financial stability concerns, ICT risk profile, ICT maturity, and technology features. The entity's internal record should therefore identify critical or important functions and supporting ICT systems clearly enough for TLPT scoping and supervisory validation.
Sorena can help structure covered-entity classifications, simplified-framework conclusions, critical-function inventories, ICT dependency records, and governance approvals against the cited DORA sources.
Ask source-linked questions about DORA scope, proportionality, simplified ICT risk management, ICT third-party dependencies, and evidence records.
Review DORA entity scope, critical or important functions, ICT dependency evidence, and management approvals with Sorena.
"approval, management, control, and documentation"
"nature, scale and elements of increased or reduced complexity"
"criteria used for identifying financial entities required to perform threat-led penetration testing"
"subcontracting ICT services supporting critical or important functions"
"standard templates for the register of information"
"bear the ultimate responsibility for managing the financial entity's ICT risk"