Docs

Appearance

Applicability and governance — DORA Articles 1, 2, 4, 5, 6, 16

DORA's scope, proportionality, and governance foundations sit in Chapter I (Articles 1–4) and the opening provisions of Chapter II (Articles 5, 6, 15, 16). This page walks through the operative provisions and shows how each lands in Modulos OFF-16 and MFF-16.

Quick decision

  • Financial entity → check Article 2(1). DORA scope is by entity type, not by size cap. Article 2(3) carves out specific entity types (small AIFMs, certain small IORPs, others).
  • Specific entity type listed in Article 16 → the simplified ICT risk management framework applies. The list is closed (small and non-interconnected investment firms; payment institutions exempted under Directive 2015/2366; institutions exempted under Directive 2013/36/EU; e-money institutions exempted under Directive 2009/110/EC; small IORPs). Delegated Regulation 2024/1774 carries the simplified-framework RTS.
  • ICT third-party service provider → Article 2(1) brings TPPs into DORA in their dealings with financial entities. The contractual obligations in Articles 28–30 apply to your relationships with financial entities regardless of whether you are later designated critical under Article 31.
  • Setting up the governance foundation → Article 5 establishes the management-body responsibilities; Article 6 establishes the baseline ICT risk management framework.
  • Cross-applying with NIS2 → apply DORA Article 1(2) — on matters DORA covers, DORA's specialised provisions apply for financial entities that would otherwise be essential or important under the national NIS2 transposition. See NIS2 vs DORA.

TL;DR

  • Article 2(1) lists DORA's in-scope financial entities by type. Article 2(3) carves out specific entity types from DORA's scope, including small AIFMs and certain small IORPs.
  • Article 4 enshrines proportionality: Chapter II rules apply taking into account the entity's size, risk profile, and complexity.
  • Article 5 establishes the management-body governance regime — overall responsibility, specific responsibilities, and the ongoing training duty.
  • Article 6 establishes the baseline ICT risk management framework. Article 16 reserves a simplified version of that framework for specific small / exempted entity types.
  • Delegated Regulation (EU) 2024/1774 lays down the regulatory technical standards specifying both the full ICT risk management framework and the simplified framework.

Primary source

Regulation (EU) 2022/2554 on EUR-Lex (CELEX 32022R2554) — Articles 1–6, 15, 16, 64 · Commission Delegated Regulation (EU) 2024/1774 (ICT RMF + simplified RMF RTS)

Article 1 — subject matter

Article 1(1) defines DORA's subject matter as uniform requirements for the security of network and information systems supporting the business processes of financial entities, with regard to ICT risk management requirements (Chapter II), the reporting of major ICT-related incidents (Chapter III), digital operational resilience testing (Chapter IV), ICT third-party risk management including by ICT third-party service providers (Chapter V Section I), the EU oversight framework for ICT third-party service providers designated as critical (Chapter V Section II), and information-sharing arrangements (Chapter VI).

Article 1(2) is the operative provision that allocates competence between DORA and the NIS2 Directive. It is structured so that DORA operates as a sector-specific Union legal act for the purposes of NIS2 Article 4: in relation to financial entities that would otherwise be essential or important entities under the national NIS2 transposition, DORA's specialised provisions apply on the matters DORA covers. NIS2 obligations remain relevant for areas DORA does not cover and where the national NIS2 transposition extends further.

Article 2 — scope

Article 2(1) — financial entities in scope

Article 2(1) lists the financial entities to which DORA applies. The list is detailed and includes (in summary, by entity category):

  • credit institutions;
  • payment institutions, including those exempted under Directive (EU) 2015/2366;
  • account information service providers;
  • electronic money institutions, including those exempted under Directive 2009/110/EC;
  • investment firms;
  • crypto-asset service providers authorised under MiCA (Regulation (EU) 2023/1114) and issuers of asset-referenced tokens;
  • central securities depositories;
  • central counterparties;
  • trading venues;
  • trade repositories;
  • managers of alternative investment funds (AIFMs);
  • management companies of undertakings for collective investment in transferable securities (UCITS);
  • data reporting service providers;
  • insurance and reinsurance undertakings;
  • insurance, reinsurance, and ancillary insurance intermediaries;
  • institutions for occupational retirement provision;
  • credit rating agencies;
  • administrators of critical benchmarks;
  • crowdfunding service providers;
  • securitisation repositories;
  • ICT third-party service providers (with sector-specific obligations).

Scope is by entity category. Unlike NIS2, DORA does not use a size-cap rule.

Article 2(3) — exclusions

Article 2(3) excludes specific entity types from DORA's scope, including:

  • managers of alternative investment funds below the relevant threshold (Article 3(2) of Directive 2011/61/EU);
  • insurance and reinsurance undertakings below the threshold (Article 4 of Directive 2009/138/EC);
  • institutions for occupational retirement provision operating pension schemes which together do not have more than 15 members in total;
  • natural or legal persons exempted under Articles 2 and 3 of Directive 2014/65/EU (MiFID II);
  • insurance, reinsurance, and ancillary insurance intermediaries that are micro, small, or medium-sized enterprises;
  • post office giro institutions referred to in Directive 2013/36/EU.

The exclusion list is meaningful: many smaller pension funds, smaller insurance intermediaries, and below-threshold AIFMs sit outside DORA entirely.

Article 2(4) — additional discretionary option

Article 2(4) gives Member States an option to exclude certain credit institutions from the application of DORA in specific cases referred to in the provision.

Article 4 — proportionality

Article 4 enshrines the proportionality principle:

Financial entities shall implement the rules laid down in Chapter II in accordance with the principle of proportionality, taking into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations.

Article 4 also requires that the application of Chapters III, IV and V Section I by financial entities take account of their size and risk profile. The proportionality principle shapes how each obligation is applied but does not override the obligation itself.

Article 5 — management body governance

Article 5 places overall accountability for the ICT risk management framework on the management body of the financial entity. The management body is required to define, approve, oversee, and be responsible for the implementation of all arrangements related to the ICT risk management framework referred to in Article 6.

Article 5 then enumerates specific management-body responsibilities, including (in summary):

  • bearing the ultimate responsibility for managing the financial entity's ICT risk;
  • putting in place policies to ensure high standards of availability, authenticity, integrity and confidentiality of data;
  • setting clear roles and responsibilities for all ICT-related functions and establishing appropriate governance arrangements;
  • bearing overall responsibility for setting and approving the digital operational resilience strategy;
  • approving, overseeing, and periodically reviewing the implementation of the financial entity's ICT business continuity policy and ICT response and recovery plans;
  • approving and periodically reviewing the financial entity's ICT internal audit plans and audits;
  • allocating and periodically reviewing the appropriate budget;
  • approving and periodically reviewing the policy on arrangements regarding the use of ICT services provided by ICT third-party service providers;
  • putting in place reporting channels enabling the management body to be duly informed;
  • approving the classification of ICT-related incidents under Article 18.

The Article 5 specific-responsibility list is detailed enough that a management-body charter / terms of reference will typically need to be updated to reflect the obligations expressly.

Article 5 also requires members of the management body to actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, including by following specific training on a regular basis, commensurate to the ICT risk being managed.

Article 6 — ICT risk management framework

Article 6(1) is the cornerstone provision:

Financial entities shall have a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system, which enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience.

The remaining paragraphs of Article 6 flesh out the framework in detail: what it covers (strategies, policies, procedures, ICT protocols and tools necessary to duly and adequately protect information assets and ICT assets); review cadence (the framework is documented and reviewed periodically, and updated whenever a significant ICT-related incident occurs); internal governance and control framework (where applicable, financial entities have an internal governance and control framework that ensures an effective and prudent management of ICT risk); the control-function responsibility and independence (financial entities, other than microenterprises, assign responsibility for managing and overseeing ICT risk to a control function and ensure an appropriate level of independence of that function); audit (the ICT risk management framework is subject to internal audit by auditors on a regular basis); the digital operational resilience strategy (financial entities define a digital operational resilience strategy that sets out how the framework is implemented); and supervisory reporting on the framework (financial entities other than microenterprises report on the review of the framework to the competent authority upon request).

Delegated Regulation (EU) 2024/1774 specifies the technical standards for the Article 6 ICT risk management framework, including ICT security policies, procedures and tools, vulnerability management, change management, and physical and environmental security.

Article 16 — simplified ICT risk management framework

Article 16 reserves a simplified framework for specific entity types. The provision begins by disapplying a defined set of articles for the listed entities and then introduces the simplified framework that applies in their place. The entities listed in Article 16 are:

  • small and non-interconnected investment firms;
  • payment institutions exempted pursuant to Directive (EU) 2015/2366;
  • institutions exempted pursuant to Directive 2013/36/EU in respect of which Member States have decided not to apply the option referred to in Article 2(4) of DORA;
  • electronic money institutions exempted pursuant to Directive 2009/110/EC;
  • small institutions for occupational retirement provision.

The simplified framework then sets out the obligations these entities must meet — a streamlined ICT risk management regime, retaining the overall objective of digital operational resilience. Delegated Regulation 2024/1774 specifies the technical standards for both Article 6 and Article 16. The simplified framework is not a general SME carve-out; it is a narrow, entity-type-specific regime.

How to operationalize Articles 1, 2, 4, 5, 6, 16 in Modulos

Modulos models the DORA governance foundation across OFF-16 and MFF-16:

LayerModulos surfaceCoverage
Scope and applicabilityOFF-16 ORF-361Articles 1–3 scope determination
Proportionality + simplified framework eligibilityOFF-16 ORF-362Articles 4 and 16 eligibility memo
Management body governanceOFF-16 ORF-363ORF-364Article 5
ICT RMF governanceOFF-16 ORF-365Articles 6 and 15
Control-function independence, audit, reviewOFF-16 ORF-366Article 6 (control function, audit, review obligations)
ICT RMF executionMFF-16 MRF-293Articles 6, 15, 16 implementation

A typical setup:

  1. Requirements — each governance obligation is recorded as a requirement on the OFF-16 organisation project. Fulfilment tracks through Not fulfilledFulfilled (with optional Out of scope).
  2. Controls — implemented governance arrangements (management-body charter / terms of reference reflecting Article 5, ICT RMF policy approved by the management body, digital operational resilience strategy, internal audit plan) are documented as named controls. Control status changes are routed through review requests.
  3. Evidence — board minutes, RMF policy document, resilience strategy, internal audit reports, control-function appointment letters, and training records are recorded once and linked to multiple controls.
  4. Readiness + fulfilment attestation — when controls are in a final state, the requirement becomes ready for review and the requirement owner attests fulfilment by marking the requirement fulfilled.
  5. Article 16 simplified-framework decisionORF-362 carries the eligibility memo plus the rationale for selecting the simplified or full framework. The decision affects which Delegated Regulation 2024/1774 chapters apply.

Cross-framework mapping (preview)

DORA governanceNIS2 (Directive (EU) 2022/2555)ISO/IEC 27001:2022 (Amd 1:2024)
Art 5 management bodyArt 20 management bodyClause 5.1 (leadership and commitment), 5.3 (roles and responsibilities)
Art 5 management body trainingArt 20(2) management body trainingClause 7.2 (competence), 7.3 (awareness)
Art 6 ICT RMFArt 21(1)–(2)(a) policies on risk analysis and information system securityClauses 4–10, Annex A.5 (organisational controls)
Art 6 internal audit(no direct equivalent; Art 32 supervisory measures)Clause 9.2 (internal audit)
Art 16 simplified framework(no direct equivalent — NIS2 uses size-cap not entity-type exemption)Clause 4.3 ISMS scope can be adjusted

For the pairwise NIS2↔DORA treatment see NIS2 vs DORA.

DORA overview

Framework structure, dates, OFF-16 / MFF-16 split

ICT risk and resilience operations

Articles 5–23 — RMF, incident process, classification, reporting

Testing and third-party risk

Articles 24–30 — testing, TLPT, register of information, subcontracting

Information sharing and Level 2 acts

Article 45 + the eight Commission Delegated / Implementing Regulations

NIS2 vs DORA

Where each applies, sector-specific Union legal act interaction

Source attribution

Regulation (EU) 2022/2554 (DORA) is published in the Official Journal of the European Union L 333, 27.12.2022, pp. 1–79. The Article 4 proportionality clause and Article 6(1) ICT RMF cornerstone on this page are quoted verbatim from that OJ text. The other Article 5, Article 6, and Article 16 content on this page paraphrases the operative provisions; for binding paragraph-level wording, consult the EUR-Lex text. Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 specifies the technical standards for the ICT risk management framework and the simplified framework.

Disclaimer

This page is for general informational purposes and does not constitute legal advice. DORA applies directly in every Member State; binding obligations and supervisory authorities for any specific financial entity are determined by the Regulation, the applicable Level 2 acts, and the competent authority designated by the Member State. For binding interpretation in your jurisdiction, consult the published EUR-Lex text and qualified counsel.