Am I in DORA scope?

Question 1 of 7

What type of organisation are you?

DORA Article 2 lists the financial entities in scope.

A regulated financial entity — bank, payment / e-money institution, investment firm, insurer/reinsurer, fund manager, CCP/CSD/trading venue, CASP (MiCAR), etc. Insurance intermediary, IORP (pension), AISP, crowdfunding provider, or a small/exempt-type financial entity An ICT third-party provider — I provide ICT services (cloud, software, data, etc.) to financial entities A non-financial company / something else

Question 2 of 7

Are you established or authorised in the EU (or providing regulated services into the EU)?

Yes No — fully outside the EU with no EU activity Unsure

Question 3 of 7

Is your entity a microenterprise?

Fewer than 10 staff and annual turnover or balance sheet ≤ €2m.

Yes No Unsure

Question 4 of 7

Do any of these Article 2(3) exemptions apply to you?

DORA explicitly excludes a few categories.

Yes — e.g. manager of AIFs below AIFMD Art. 3 thresholds, an IORP operating schemes with fewer than 15 members total, an exempt small insurance intermediary, a post-office giro / CRD Art. 2(5) exempt institution No, none of these Unsure

Question 5 of 7

Are you a "small and non-interconnected" investment firm, or an exempt/small payment, e-money or AISP entity?

These qualify for the simplified ICT risk management framework (Article 16).

Yes No Not applicable

Question 6 of 7

Do you rely on ICT systems to deliver critical or important functions?

Functions whose disruption would materially impair your services, soundness or continuity.

Yes No Unsure

Question 7 of 7

Are you a significant / systemically important entity?

e.g. a significant credit institution (SSM), CCP, CSD — relevant to Threat-Led Penetration Testing (TLPT) obligations.

Yes No Unsure