Docs

Appearance

Applicability and governance — DORA Articles 1, 2, 4, 5, 6, 16

DORA's scope, proportionality, and governance foundations sit in Chapter I (Articles 1–4) and the framing provisions of Chapter II (Articles 5 and 6, with the RTS mandate in Article 15 and the simplified regime in Article 16 closing the Chapter). This page walks through the operative provisions and shows how each lands in Modulos OFF-16 and MFF-16.

Quick decision

  • Financial entity → check Article 2(1). DORA scope is by entity type, not by size cap. Article 2(3) carves out specific entity types (small AIFMs, certain small IORPs, others).
  • Specific entity type listed in Article 16 → the simplified ICT risk management framework applies. The list is closed (small and non-interconnected investment firms; payment institutions exempted under Directive 2015/2366; institutions exempted under Directive 2013/36/EU where the Member State has not used the DORA Article 2(4) exclusion option; e-money institutions exempted under Directive 2009/110/EC; small IORPs). Delegated Regulation 2024/1774 carries the simplified-framework RTS.
  • ICT third-party service provider → Article 2(1) brings TPPs into DORA in their dealings with financial entities. The contractual obligations in Articles 28–30 apply to your relationships with financial entities regardless of whether you are later designated critical under Article 31.
  • Setting up the governance foundation → Article 5 establishes the management-body responsibilities; Article 6 establishes the baseline ICT risk management framework.
  • Cross-applying with NIS2 → apply DORA Article 1(2) — on matters DORA covers, DORA's specialised provisions apply for financial entities that would otherwise be essential or important under the national NIS2 transposition. See NIS2 vs DORA.

TL;DR

  • Article 2(1) lists DORA's in-scope financial entities by type. Article 2(3) carves out specific entity types from DORA's scope, including small AIFMs and certain small IORPs.
  • Article 4 enshrines proportionality: Chapter II rules apply taking into account the entity's size, risk profile, and complexity.
  • Article 5 establishes the management-body governance regime — overall responsibility, specific responsibilities, and the ongoing training duty.
  • Article 6 establishes the baseline ICT risk management framework. Article 16 reserves a simplified version of that framework for specific small / exempted entity types.
  • Delegated Regulation (EU) 2024/1774 lays down the regulatory technical standards specifying both the full ICT risk management framework and the simplified framework.

Primary source

Regulation (EU) 2022/2554 on EUR-Lex (CELEX 32022R2554) — Articles 1–6, 15, 16, 64 · Commission Delegated Regulation (EU) 2024/1774 (ICT RMF + simplified RMF RTS)

Article 1 — subject matter

Article 1(1) defines DORA's subject matter as uniform requirements for the security of network and information systems supporting the business processes of financial entities, with regard to ICT risk management requirements (Chapter II), the reporting of major ICT-related incidents (Chapter III), digital operational resilience testing (Chapter IV), ICT third-party risk management including by ICT third-party service providers (Chapter V Section I), the EU oversight framework for ICT third-party service providers designated as critical (Chapter V Section II), and information-sharing arrangements (Chapter VI).

Article 1(2) is the operative provision that allocates competence between DORA and the NIS2 Directive. It is structured so that DORA operates as a sector-specific Union legal act for the purposes of NIS2 Article 4: in relation to financial entities that would otherwise be essential or important entities under the national NIS2 transposition, DORA's specialised provisions apply on the matters DORA covers. NIS2 obligations remain relevant for areas DORA does not cover and where the national NIS2 transposition extends further.

Article 2 — scope

Article 2(1) — financial entities in scope

Article 2(1) lists the financial entities to which DORA applies. The list is detailed and includes (in summary, by entity category):

  • credit institutions;
  • payment institutions, including those exempted under Directive (EU) 2015/2366;
  • account information service providers;
  • electronic money institutions, including those exempted under Directive 2009/110/EC;
  • investment firms;
  • crypto-asset service providers authorised under MiCA (Regulation (EU) 2023/1114) and issuers of asset-referenced tokens;
  • central securities depositories;
  • central counterparties;
  • trading venues;
  • trade repositories;
  • managers of alternative investment funds (AIFMs);
  • management companies of undertakings for collective investment in transferable securities (UCITS);
  • data reporting service providers;
  • insurance and reinsurance undertakings;
  • insurance, reinsurance, and ancillary insurance intermediaries;
  • institutions for occupational retirement provision;
  • credit rating agencies;
  • administrators of critical benchmarks;
  • crowdfunding service providers;
  • securitisation repositories;
  • ICT third-party service providers — in scope under Article 2(1)(u), but under Article 2(2) only points (a)–(t) are collectively "financial entities"; TPPs are addressed by the third-party and oversight regimes rather than the financial-entity duties.

Scope is by entity category. Unlike NIS2, DORA does not use a size-cap rule.

Article 2(3) — exclusions

Article 2(3) excludes specific entity types from DORA's scope, including:

  • managers of alternative investment funds below the relevant threshold (Article 3(2) of Directive 2011/61/EU);
  • insurance and reinsurance undertakings below the threshold (Article 4 of Directive 2009/138/EC);
  • institutions for occupational retirement provision operating pension schemes which together do not have more than 15 members in total;
  • natural or legal persons exempted under Articles 2 and 3 of Directive 2014/65/EU (MiFID II);
  • insurance, reinsurance, and ancillary insurance intermediaries that are micro, small, or medium-sized enterprises;
  • post office giro institutions referred to in Directive 2013/36/EU.

The exclusion list is meaningful: many smaller pension funds, smaller insurance intermediaries, and below-threshold AIFMs sit outside DORA entirely.

Article 2(4) — additional discretionary option

Article 2(4) gives Member States the option to exclude the entities referred to in Article 2(5), points (4) to (23), of Directive 2013/36/EU (nationally enumerated institutions exempted from the CRD) located within their territories; a Member State using the option informs the Commission.

Article 4 — proportionality

Article 4 enshrines the proportionality principle:

Financial entities shall implement the rules laid down in Chapter II in accordance with the principle of proportionality, taking into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations.

Article 4(2) adds that financial entities apply Chapters III, IV and V, Section I, proportionately to their size and overall risk profile, and the nature, scale and complexity of their services — but only "as specifically provided for in the relevant rules of those Chapters". The proportionality principle shapes how each obligation is applied; it does not override the obligation itself.

Article 5 — management body governance

Article 5(1) requires financial entities to have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk, in accordance with Article 6(4). Article 5(2) then places overall accountability on the management body: it is required to define, approve, oversee, and be responsible for the implementation of all arrangements related to the ICT risk management framework referred to in Article 6.

Article 5(2) then enumerates specific management-body responsibilities, including (in summary):

  • bearing the ultimate responsibility for managing the financial entity's ICT risk;
  • putting in place policies to ensure high standards of availability, authenticity, integrity and confidentiality of data;
  • setting clear roles and responsibilities for all ICT-related functions and establishing appropriate governance arrangements;
  • bearing overall responsibility for setting and approving the digital operational resilience strategy;
  • approving, overseeing, and periodically reviewing the implementation of the financial entity's ICT business continuity policy and ICT response and recovery plans;
  • approving and periodically reviewing the financial entity's ICT internal audit plans and audits;
  • allocating and periodically reviewing the appropriate budget;
  • approving and periodically reviewing the policy on arrangements regarding the use of ICT services provided by ICT third-party service providers;
  • putting in place reporting channels enabling the management body to be duly informed — Article 5(2)(i) requires arrangements ensuring the body is informed of the arrangements concluded with ICT third-party service providers, of relevant planned material changes regarding those providers and their potential impact on critical or important functions, and of at least major ICT-related incidents and their impact, together with response, recovery and corrective measures.

The Article 5 specific-responsibility list is detailed enough that a management-body charter / terms of reference will typically need to be updated to reflect the obligations expressly.

Article 5(4) requires members of the management body to actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, including by following specific training on a regular basis, commensurate to the ICT risk being managed.

Article 6 — ICT risk management framework

Article 6(1) is the cornerstone provision:

Financial entities shall have a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system, which enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience.

The remaining paragraphs of Article 6 flesh out the framework in detail:

  • Coverage (Art 6(2)) — the strategies, policies, procedures, ICT protocols and tools necessary to duly and adequately protect information assets and ICT assets.
  • Control function (Art 6(4)) — financial entities, other than microenterprises, assign responsibility for managing and overseeing ICT risk to a control function and ensure an appropriate level of its independence.
  • Review cadence (Art 6(5)) — the framework is documented and reviewed at least once a year (periodically in the case of microenterprises), upon the occurrence of major ICT-related incidents, and following supervisory instructions or conclusions from resilience testing or audit. A report on the review is submitted to the competent authority upon its request — with no microenterprise carve-out.
  • Internal audit (Art 6(6)) — the framework of financial entities other than microenterprises is subject to internal audit on a regular basis.
  • Resilience strategy (Art 6(8)) — financial entities define a digital operational resilience strategy setting out how the framework is implemented.

Delegated Regulation (EU) 2024/1774 specifies the technical standards for the Article 6 ICT risk management framework, including ICT security policies, procedures and tools, vulnerability management, change management, and physical and environmental security.

Article 16 — simplified ICT risk management framework

Article 16 reserves a simplified framework for specific entity types. The first subparagraph of Article 16(1) disapplies Articles 5 to 15 for the listed entities; the second subparagraph then sets out the simplified duties at points (a)–(h) that apply in their place. The entities listed in Article 16(1) are:

  • small and non-interconnected investment firms;
  • payment institutions exempted pursuant to Directive (EU) 2015/2366;
  • institutions exempted pursuant to Directive 2013/36/EU in respect of which Member States have decided not to apply the option referred to in Article 2(4) of DORA;
  • electronic money institutions exempted pursuant to Directive 2009/110/EC;
  • small institutions for occupational retirement provision.

The simplified framework then sets out the obligations these entities must meet — the Article 16(1)(a)–(h) duties cover a sound and documented ICT risk management framework, continuous monitoring of ICT systems, impact minimisation through resilient systems and tools, prompt identification and detection of risk sources and anomalies, identification of key ICT third-party dependencies, continuity of critical or important functions including back-up and restoration, testing of plans and measures, and implementation of relevant operational conclusions. Delegated Regulation 2024/1774 specifies the technical standards for both regimes (the full framework in Title II, the simplified framework in Title III). The simplified framework is not a general SME carve-out; it is a narrow, entity-type-specific regime.

Two consequences matter in practice:

  • The split is per obligation, not per entity class alone. Outside Articles 5–15, an Article 16(1) entity remains subject to the obligations that bind "financial entities" generally — including the Chapter III incident regime and the Chapter V Section I third-party regime, other than provisions carrying their own carve-out. The Article 28(2) strategy duty, for example, binds entities other than Article 16(1) entities and microenterprises. For Chapter IV testing, Article 26(1) expressly excludes Article 16(1) entities from TLPT; their general testing duty is treated as resting on Article 16(1)(g), since Article 24(1) is anchored to the Article 6 framework that Article 16(1) disapplies (cf. recital 43).
  • Microenterprise carve-outs are a separate axis. Several full-regime paragraphs bind financial entities other than microenterprises (for example the Article 6(4) control function and parts of Articles 11–13). An entity can be in the full regime and still benefit from microenterprise carve-outs — regime and size operate independently.

How to operationalize Articles 1, 2, 4, 5, 6, 16 in Modulos

Modulos models the DORA governance foundation across OFF-16 and MFF-16:

LayerModulos surfaceCoverage
Scope and applicabilityOFF-16 ORF-361Articles 1–3 scope determination
Proportionality + simplified framework eligibilityOFF-16 ORF-362Articles 4 and 16 eligibility memo
Management body governanceOFF-16 ORF-363ORF-364Article 5
ICT RMF governanceOFF-16 ORF-365Articles 6 and 15
Control-function independence, audit, reviewOFF-16 ORF-366Article 6 (control function, audit, review obligations)
ICT RMF executionMFF-16 MRF-293Articles 6, 15, 16 implementation

A typical setup:

  1. Requirements — each governance obligation is recorded as a requirement on the OFF-16 organisation project. Fulfilment tracks through Not fulfilledFulfilled (with optional Out of scope).
  2. Controls — implemented governance arrangements (management-body charter / terms of reference reflecting Article 5, ICT RMF policy approved by the management body, digital operational resilience strategy, internal audit plan) are documented as named controls. Control status changes are routed through review requests.
  3. Evidence — board minutes, RMF policy document, resilience strategy, internal audit reports, control-function appointment letters, and training records are recorded once and linked to multiple controls.
  4. Readiness + fulfilment attestation — when controls are in a final state, the requirement becomes ready for review and the requirement owner attests fulfilment by marking the requirement fulfilled.
  5. Article 16 simplified-framework decisionORF-362 carries the eligibility memo plus the rationale for selecting the simplified or full framework. The decision affects which Delegated Regulation 2024/1774 title applies (Title II full framework, Title III simplified framework).
  6. Regime and addressee tags — every OFF-16 / MFF-16 requirement carries DORA Framework tags (Full / Simplified) and DORA Addressee tags naming the cohort each limb binds (All financial entities; Other than microenterprises; Other than Art 16(1) entities and microenterprises; Microenterprises only; Simplified (Art 16(1) entities)), with the requirement's Applicability section stating the same split in prose. After the ORF-362 decision, the tags identify which limbs to fulfil and which to record as out of scope.

Cross-framework mapping (preview)

DORA governanceNIS2 (Directive (EU) 2022/2555)ISO/IEC 27001:2022 (Amd 1:2024)
Art 5 management bodyArt 20 management bodyClause 5.1 (leadership and commitment), 5.3 (roles and responsibilities)
Art 5 management body trainingArt 20(2) management body trainingClause 7.2 (competence), 7.3 (awareness)
Art 6 ICT RMFArt 21(1)–(2)(a) policies on risk analysis and information system securityClauses 4–10, Annex A.5 (organisational controls)
Art 6 internal audit(no direct equivalent; Art 32 supervisory measures)Clause 9.2 (internal audit)
Art 16 simplified framework(no direct equivalent — NIS2 uses size-cap not entity-type exemption)Clause 4.3 ISMS scope can be adjusted

For the pairwise NIS2↔DORA treatment see NIS2 vs DORA.

DORA overview

Framework structure, dates, OFF-16 / MFF-16 split

ICT risk and resilience operations

Articles 5–23 — RMF, incident process, classification, reporting

Testing and third-party risk

Articles 24–30 — testing, TLPT, register of information, subcontracting

Information sharing and Level 2 acts

Article 45 + the eight Commission Delegated / Implementing Regulations

NIS2 vs DORA

Where each applies, sector-specific Union legal act interaction

Source attribution

Regulation (EU) 2022/2554 (DORA) is published in the Official Journal of the European Union L 333, 27.12.2022, pp. 1–79. The Article 4 proportionality clause and Article 6(1) ICT RMF cornerstone on this page are quoted verbatim from that OJ text. The other Article 5, Article 6, and Article 16 content on this page paraphrases the operative provisions; for binding paragraph-level wording, consult the EUR-Lex text. Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 specifies the technical standards for the ICT risk management framework and the simplified framework.

Disclaimer

This page is for general informational purposes and does not constitute legal advice. DORA applies directly in every Member State; binding obligations and supervisory authorities for any specific financial entity are determined by the Regulation, the applicable Level 2 acts, and the competent authority designated by the Member State. For binding interpretation in your jurisdiction, consult the published EUR-Lex text and qualified counsel.