Search QAs

For the identification of insurance and reinsurance undertakings the RTS on TLPT specifies quantitative criteria in Article 2(2)(g) that must be met in a cumulative way. Additionally, in the last subparagraph of Article 2(2) of the RTS on TLPT further quantitative criteria are given. In order to fos…

Since there many requirements directed at ICT systems but there is no definition id like to know if ICT-Systems are definable by the following: An ICT system is a collection of multiple different productive ICT Assets (e.g., a database, a virtual server and the installed software artifact on it) tha…

Article 18 refers to "Member States" in regard to geographical spread. However, this implies that the article does not include EEA members, i.e., incidents that spread to EEA and non-EU members (Iceland, Liechtenstein, Norway) are not to be considered in the classification of major ICT-related incid…

Scope and Territorial Applicability of DORA Does DORA apply exclusively to entities operating within the EU? Consider the following examples for clarification: Example 1: An organization headquartered in an EU Member State, such as Spain, operates branches in non-EU countries (e.g., New Zealand, Jap…

We are an elearning platform provider. We work with an important bank in France. Is Dora applicable for our company (provider of soft skills elearning content to bank sector employees) ? 

Software is bought as it is from an external provider. The contract specifies no further development, maintenance or support. However, the service provider publishes updates, which can optionally be downloaded by users. Would this constellation represent a DORA ICT-service?

Can Social Media usage (e.g. for public relations) be considered an ICT-service under DORA?

Does an insurance entity licensed outside the EU, which is a subsidiary of a company based in the EU, and with operations also outside the EU, fall within the scope of DORA?

Is it in line with Article 30(3)(e)(i) of Regulation (EU) 2022/2554 (DORA), in conjunction with Article 8 of Commission Delegated Regulation (EU) 2024/1773, to appoint an independent third party to perform a regular joint audit of a third-party ICT service provider that supports critical or importan…