Scope of Application
Affected Entities (Art. 2 DORA)
DORA applies to virtually all supervised financial entities in the European financial sector:
| Letter | Sector | Examples |
|---|---|---|
| a) | Credit institutions | Banks, savings institutions |
| b) | Payment institutions | Payment providers |
| c) | Electronic money institutions | E-money issuers |
| d) | Investment firms | Brokers, asset managers |
| e) | Crypto-asset service providers | Crypto exchanges, token issuers |
| f) | Central securities depositories | CSDs |
| g) | Central counterparties | CCPs |
| h) | Trading venues | Exchanges, MTFs, OTFs |
| i) | Trade repositories | Trade repositories |
| j) | Managers of alternative investment funds | AIFMs |
| k) | Management companies | UCITS ManCos |
| l) | Data reporting service providers | APAs, CTPs, ARMs |
| m) | Insurance and reinsurance undertakings | All under Solvency II |
| n) | Insurance intermediaries | Brokers, agents |
| o) | Institutions for occupational retirement provision | IORPs |
| p) | Credit rating agencies | CRAs |
| q) | Statutory auditors | Audit firms |
| r) | Administrators of critical benchmarks | e.g. EURIBOR administrators |
| s) | Crowdfunding service providers | ECF platforms |
| t) | Securitisation repositories | Securitisation repositories |
| u) | ICT third-party service providers | IT service providers, cloud providers, MSPs |
BAUER GROUP Relevance
BAUER GROUP falls under letter u) – ICT third-party service providers. Even without a BaFin licence of its own, BAUER GROUP is affected as soon as it serves clients in the financial sector. The obligations arise primarily from the contractual requirements (Art. 28–30) and potentially from CTPP designation (Art. 31 ff.).
Exemptions (Art. 2(3) & (4) DORA)
Exempt are, among others:
- Managers of alternative investment funds under Art. 3(2) AIFMD
- Insurance and reinsurance undertakings under Art. 4 of the Solvency II Directive (size-based exemption)
- Certain insurance intermediaries (microenterprises, small and medium-sized)
- Post-trade infrastructures from third countries (subject to conditions)
Entity Categorisation (Proportionality Principle)
| Category | Employees | Turnover / Balance Sheet | DORA Implication |
|---|---|---|---|
| Microenterprise | ≤ 10 | ≤ EUR 2 million | Simplified ICT risk management framework (Art. 16), no TLPT; third-party risk (Chapter V, Art. 28–44) still applies in full |
| Small enterprise | ≤ 50 | ≤ EUR 10 million | Art. 16 applies only to entity types specifically named in Art. 16(1), not based on size alone |
| Medium enterprise | ≤ 250 | Turnover ≤ EUR 50 million / Balance sheet ≤ EUR 43 million | Full scope |
| Large enterprise | > 250 | Above | Full scope + potentially TLPT obligation |
FinmadiG Extension (from 01.01.2027)
The Finanzmarktdigitalisierungsgesetz (Financial Markets Digitalisation Act) extends the DORA scope of application in Germany to:
- Financial services institutions (leasing, factoring)
- Crypto securities register operators
- Branches under Section 53 KWG (German Banking Act)
- Insurance holding companies (Section 7 No. 31, Section 294(4) VAG)
- All KWG institutions not already covered under Art. 2 DORA
Transitional provision: Reporting obligations (Chapter III) have been applicable since 17.01.2025; full ICT risk management framework from 01.01.2027. BAIT applies transitionally until 31.12.2026.