DORA Regulation : Scope and Exemptions

On August 30, 2025, France witnessed a major interruption of payment services, paralyzing card transactions and withdrawals for millions of customers of Crédit Mutuel, CIC, and Monabanq for more than two hours. Caused by an “internal malfunction” linked to an IT update, the incident caused chaos, leaving many users without any means of payment and highlighting the vulnerability of our financial infrastructures. It is precisely in the face of such disruptions that the DORA Regulation proves its value, imposing strict digital operational resilience standards on financial entities. DORA requires robust continuity plans, proactive ICT risk management, and the ability to recover quickly to minimize consumer impact. Thus, an event like August 30, 2025, perfectly illustrates the vital necessity of DORA in guaranteeing stability and trust in the European financial system.

Understanding the Scope of the DORA Regulation

The DORA Regulation (Digital Operational Resilience Act) leaves virtually no one off its radar. Article 2 defines its scope of application: in short, who is covered and who can (miraculously) escape.

DORA aims to strengthen the digital operational resilience of the financial ecosystem, both for traditional institutions and emerging players such as crypto service providers. In other words: there aren’t many hiding places.

Who Is Covered by DORA? Financial and Non-Financial Entities

The list is long (and it quickly becomes clear that DORA likes to keep everyone under control):

• Banks and credit institutions

• Payment institutions (including those exempted under PSD2)

• Account information service providers

• Electronic money institutions

• Investment firms

• Authorized crypto service providers and issuers of asset-referenced tokens

• Central securities depositories, central counterparties, trading venues, trade repositories

• Fund managers (Alternative Investment Fund Managers – AIFMs, management companies, UCITS, etc.)

• Data reporting service providers

• Insurance and reinsurance companies, and intermediaries

• Occupational pension institutions

• Credit rating agencies and benchmark administrators

• Crowdfunding platforms

• Securitization repositories

• And, last but not least: third-party ICT service providers (cloud, cybersecurity, data).

👉 Simple conclusion: if you touch financial services or their digital backbone, chances are DORA will keep you under close watch.

Financial vs Non-Financial Entities

• Points 1) to 14), from banks and credit institutions to securitization repositories, list all financial entities (banks, insurers, funds, crypto, etc.).

• Point 15) designates non-financial entities: third-party ICT providers—often essential, but now strictly regulated by DORA.

Exclusions Under the DORA Regulation: Who Escapes?

Fortunately, not everyone falls within DORA’s net. The text provides for some specific exclusions:

• Small alternative fund managers → managing assets below €100M (with leverage) or €500M (without leverage and no redemption rights for 5 years).

• Small insurers and reinsurers → when premiums < €5.4M and provisions < €26.6M, subject to specific cover restrictions.

• Small occupational pension institutions → if managing fewer than 15 members total.

• Entities exempted under MiFID II (Directive 2014/65/EU), such as:

  • Firms providing services only within their own group.

  • Firms conducting investment activity only as an ancillary service.

  • Proprietary traders (except HFT traders and market makers).

  • Public institutions (central banks, EIB, etc.).

  • Pension funds and certain UCIs.

  • Energy companies trading only to manage their own production/consumption.

  • Specific national carve-outs (e.g. Denmark, Finland).

• Small and medium-sized insurance/reinsurance intermediaries.

• Postal cheque offices (a timeless administrative classic).

In Summary: DORA Makes No Exceptions

The scope of DORA is broad and tight. Few financial or technological players escape, except under carefully framed exceptions. And for those who thought they could slip through, spoiler alert: the net is tight.

Ultimately, the DORA Regulation ensures that Europe is no longer vulnerable to major digital operational shocks.

Strict regulation ? Yes. Over the top ? Perhaps. But in a world where a cyberattack can shake a bank or a crypto platform, it’s hard to argue it’s unnecessary.