Article 2 of Regulation (EU) 2022/2554 (DORA) defines its scope by the type of entities, not by individual activities or services. Therefore, by default, entities as a whole are subject to DORA requirements. In practice, this means that if ICT systems, services, or processes are shared across both regulated and nonregulated activities, DORA obligations extend to those as well. Only where ICT environments are fully segregated and contagion risks are effectively prevented can those non-regulated activities be excluded outside the scope. That said, DORA does build in proportionality and explicit exemptions for certain categories of firms. Article 2(3) of DORA enumerates categories of entities that are excluded despite otherwise carrying out financial activities. Finally, it is also important to note that DORA provides specific requirements for ICT services supporting critical or important functions.