What is a financial entity according to DORA?
DORA applies across the entire financial sector. According to Art. 2 (1) DORA, the following financial entities are covered by the scope of application:

• CRR credit institutions,
• payment institutions,
• account information service providers,
• e-money institutions,
• investment firms,
• providers of crypto services authorized under the Regulation of the European Parliament and of the Council on Markets in Crypto Assets (MiCAR) and issuers of asset-referenced tokens,
• central securities depositories,
• central counterparties,
• trading venues,
• trade repositories,
• managers of alternative investment funds,
• management companies,
• data reporting service providers,
• insurance and reinsurance undertakings,
• insurance intermediaries, reinsurance intermediaries and insurance intermediaries in ancillary activity,
• institutions for occupational retirement provision,
• credit rating agencies,
• administrators of critical benchmarks,
• crowdfunding service providers,
• securitisation repositories

What is an ICT service provider?
“ICT services” stands for internet and communication services. According to the definition in Art. 3 No. 21 DORA, ICT services are:

digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services.

This includes:

• ICT project management
• ICT development (business analysis, software design and development, testing)
• ICT help desk and first level support in the event of ICT incidents
• ICT security management services (protection, detection, response and recovery, including security incident handling and forensics)
• Provision of data (digital data service)
• Services to support data analysis (digital data service)
• Provision of ICT infrastructure, facilities and hosting services (this includes the provision of utilities (energy, heat management, etc.), telecommunications access and physical security, excluding cloud services)
• Computation (Provision of digital processing capabilities (including data computation). This excludes the computation services performed in the context of a cloud environment
• Provision of a data storage platform (excluding cloud services)
• Operating telecommunications systems and managing data flows (traditional analog telephone services are excluded under Article 3 (21) DORA, but virtual telephony is not)
• Provision of network infrastructure
• Provision of workstations, telephones, servers, data, storage devices, appliances, etc. as a service
• Provision of software on premise / software licensing
• Provision of services related to IT infrastructure (systems and hardware other than network), configuration, maintenance, installation, capacity management, business continuity management, etc., including managed service providers (MSP)
• ICT advice / ICT consulting / ICT expertise services
• ICT Risk Management such as verification of compliance with the ICT risk management requirements of Art. 6 para. 10 DORA
• Cloud: Infrastructure-as-a-service, Platform-as-a-service and Software-as-a-service