Question ID: DORA 137 - 3195
Regulation Reference: (EU) 2022/2554 - Digital Operational Resilience Act (DORA)
Article: 2
Status: Final
Date of submission: 25 Nov 2024
Question
Scope and Territorial Applicability of DORA Does DORA apply exclusively to entities operating within the EU? Consider the following examples for clarification: Example 1: An organization headquartered in an EU Member State, such as Spain, operates branches in non-EU countries (e.g., New Zealand, Japan). Would the requirements of DORA extend to these branches? Example 2: An organization headquartered in an EU Member State, such as France, has legal entities conducting activities within the scope of DORA outside the EU (e.g., in the United States, Canada, or Mexico). Would the requirements of DORA apply to these legal entities?
EIOPA answer
Regulation (EU) 2022/2554 (DORA) defines its scope by the type of financial entity. In practice, if a legal entity is a regulated financial entity listed in Article 2(1), then the whole entity is subject to DORA requirements. Therefore, a financial entity headquartered in an EUmember state with branches in non-EU countries will have to apply the DORA requirements also to those branches, being the branches part of the same legal entity. Conversely, the non-EU subsidiaries of the same financial entity, being legal entities established in nonEU member states will not have to apply DORA as they are not financial entities according to Article 2(1). It is important to note that non-EU entities marketing services in the EU may fall within the scope of DORA, subject to applicable sectoral legislation. For example, as explained in Q&A DORA238, non-EU AIFMs will become subject to DORA once the European Commission adopts the relevant Delegated Acts extending the marketing and management passport to them.