Does DORA apply to my company?

DORA applies to a broad list of EU financial entities — banks, payment and e-money institutions, investment firms, insurers and intermediaries, fund managers, market infrastructures, crypto-asset and crowdfunding service providers, and more — and to the ICT third-party service providers that serve them. This checker walks the Article 2 and 16 logic to give you a structured starting-point classification.

Is DORA a directive that my country still has to transpose?

No. DORA is a Regulation, so it is directly applicable in every EU Member State without national transposition. It has applied since 17 January 2025. One narrow nuance: Article 2(4) lets a Member State exclude certain CRD-exempt institutions, so confirm your national position if that could apply to you.

What is the difference between full DORA and the simplified framework?

Smaller or lower-risk entities listed in Article 16 — such as small and non-interconnected investment firms, PSD2-exempt payment institutions, EMD2-exempt e-money institutions and small IORPs — follow a simplified ICT risk-management framework rather than the full set of obligations. They are still in scope.

I'm an ICT/cloud/software provider, not a financial firm — am I affected?

Likely yes, indirectly and sometimes directly. ICT third-party service providers to financial entities are within DORA's third-party provisions, and those designated 'critical' by the European Supervisory Authorities fall under the DORA Oversight Framework. Financial-entity clients also pass DORA contractual requirements down to you.

Is this DORA checker legal advice?

No. It is a free, structured starting point based on the Regulation's text and your inputs. Several boundaries — the Article 2(3) exclusions and the 'critical' ICT-provider designation — are fact-specific or decided by the authorities. Confirm the result with your competent authority or counsel.

Do you store my answers?

No. The classification runs entirely in your browser. There is no form gate and we do not capture or store your inputs.

Free tool

DORA applicability checker

Find out whether the EU Digital Operational Resilience Act (DORA) applies to your organisation — as a financial entity or as an ICT third-party service provider — in about two minutes.

Classification follows Regulation (EU) 2022/2554 (DORA), Articles 2, 3, 16 and 31. DORA is directly applicable across the EU and has applied since 17 January 2025 — no national transposition. One Member-State-dependent nuance remains: the Article 2(4) option to exclude certain CRD-exempt institutions. This tool is a structured starting point, not legal advice.

FAQ

Does DORA apply to my company?: DORA applies to a broad list of EU financial entities — banks, payment and e-money institutions, investment firms, insurers and intermediaries, fund managers, market infrastructures, crypto-asset and crowdfunding service providers, and more — and to the ICT third-party service providers that serve them. This checker walks the Article 2 and 16 logic to give you a structured starting-point classification.
Is DORA a directive that my country still has to transpose?: No. DORA is a Regulation, so it is directly applicable in every EU Member State without national transposition. It has applied since 17 January 2025. One narrow nuance: Article 2(4) lets a Member State exclude certain CRD-exempt institutions, so confirm your national position if that could apply to you.
What is the difference between full DORA and the simplified framework?: Smaller or lower-risk entities listed in Article 16 — such as small and non-interconnected investment firms, PSD2-exempt payment institutions, EMD2-exempt e-money institutions and small IORPs — follow a simplified ICT risk-management framework rather than the full set of obligations. They are still in scope.
I'm an ICT/cloud/software provider, not a financial firm — am I affected?: Likely yes, indirectly and sometimes directly. ICT third-party service providers to financial entities are within DORA's third-party provisions, and those designated 'critical' by the European Supervisory Authorities fall under the DORA Oversight Framework. Financial-entity clients also pass DORA contractual requirements down to you.
Is this DORA checker legal advice?: No. It is a free, structured starting point based on the Regulation's text and your inputs. Several boundaries — the Article 2(3) exclusions and the 'critical' ICT-provider designation — are fact-specific or decided by the authorities. Confirm the result with your competent authority or counsel.
Do you store my answers?: No. The classification runs entirely in your browser. There is no form gate and we do not capture or store your inputs.

By ISMS Copilot. Classification follows Regulation (EU) 2022/2554 (DORA), Articles 2, 3, 16 and 31. DORA is directly applicable across the EU and has applied since 17 January 2025 — no national transposition. One Member-State-dependent nuance remains: the Article 2(4) option to exclude certain CRD-exempt institutions. This tool is a structured starting point, not legal advice.

Ready to streamline your compliance work?

Built for speed, accuracy, and audit-ready output.

Try ISMS Copilot 2.0