General Questions regarding DORA

Q&A

DORA has applied since 17.01.2025. There were no transitional periods.

Article 2 (1) of the DORA Regulation (DORA) states that it applies for:

  1. credit institutions,
  2. payment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366,
  3. account information service providers,
  4. electronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC,
  5. investment firms,
  6. crypto-asset service providers as authorised under a Regulation of the European Parliament and of the Council on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (‘the Regulation on markets in crypto-assets’), and issuers of asset-referenced tokens;
  7. central securities depositories,
  8. central counterparties,
  9. trading venues,
  10. trade repositories,
  11. managers of alternative investment funds,
  12. management companies,
  13. data reporting services,
  14. insurance and reinsurance undertakings,
  15. insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries,
  16. institutions for occupational retirement provision,
  17. ratings agencies,
  18. administrators of critical benchmarks,
  19. crowd financing service providers,
  20. securitisation repositories,
  21. ICT third-party service providers.

It does not apply to (Article 2 (3) DORA):

  1. managers of alternative investment funds as referred to in Article 3(2) of Directive 2011/61/EU;
  2. insurance and reinsurance undertakings as referred to in Article 4 of Directive 2009/138/EC;
  3. institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total;
  4. natural or legal persons exempted pursuant to Articles 2 and 3 of Directive 2014/65/EU;
  5. insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are microenterprises or small or medium-sized enterprises;
  6. post office giro institutions as referred to in Article 2(5), point (3), of Directive 2013/36/EU.

The DORA Enforcement Act also contains additional rules regarding its scope of application, which extends the scope of application of DORA to cover “national” credit institutions under Article 1 para. 1 of the Austrian Banking Act (BWG; Bankwesengesetz) and excludes non-profit housing associations in the public interest.

Article 3. (1) The rules contained in this Federal Act, Regulation (EU) 2022/2554, as well as delegated and implementing acts issued based on that Regulation shall apply to credit institutions pursuant to Article 1 para. 1 BWG that are not any of the legal entities listed in points a to t of Article 2(1) of Regulation (EU) 2022/2554, as if they were credit institutions pursuant to Article 2(1) point a of Regulation (EU) 2022/2554.

(2) Regulation (EU) 2022/2554 and this Federal Act shall not apply to enterprises recognised as non-profit housing associations where they conduct transactions listed in Article 1 para. 1 BWG that are part of their core transactions.

In addition, reference is made to the requirements for simplified ICT risk management framework (Article 16 DORA).

Furthermore, DORA also contains simplifications for “microenterprises” (Article 3 (60) DORA). Microenterprises are financial entities, other than a trading venue, a central counterparty, a trade repository or a central securities depository that employ fewer than 10 persons and that have an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million.

The principle of proportionality is to be taken into account regarding the application of rules in DORA with the regard to the size and overall risk profile, as well as the nature, scope and complexity of the services, activities, and transactions conducted by financial undertakings. 

While this principle is fundamentally defined for the Chapter on ICT risk management (Article 4(1) DORA), it only applies for the areas of ICT-related incidents, digital operational resilience testing and managing of ICT third-party risk only as specifically provided for in the relevant rules (Article 4(2) DORA).

Questions regarding FMA and OeNB’s supervisory expectations

ICT inspections by the Oesterreichische Nationalbank (OeNB) and the Austrian Financial Market Authority (FMA) consider rules under the DORA regime in the future. Currently, there is no intention to conduct on-site inspections focussing solely on DORA. Other supervisory measures, such as questions, examination of files, or cyber exercises continue to be carried out in accordance with the priorities for supervision

Contact

DORA-related questions should be addressed to the following e-mail address:

[email protected]

More about DORA

Click on the respective thematic area to obtain further information.

The contents on this website as well as hyperlinks to third party websites serve the purpose of providing general and non-binding information. These “Questions and Answers” do not constitute the FMA’s binding interpretation and in particular do not constitute interpretation within the scope of the question and answer processes (Q&As) of the three European Supervisory Authorities (EBA – European Banking Authority, ESMA – European Securities and Markets Authority, and EIOPA – European Insurance and Occupational Pensions Authority). All information on this website is provided without any guarantee, especially with regard to the up-to-dateness, completeness and correctness, and the FMA, including its employees or the persons responsible for this website, assume no liability whatsoever for the content; in addition, the FMA neither guarantees nor assumes liability for the use of hyperlinks or content that can be accessed via them.