Exclusions of Microenterprises Under DORA: Detailed List with Relevant Provisions


Please provide exhaustive list of exclusions envisaged for microenterprises by DORA. In each case please refer to specific provision of DORA which provides a given exclusion.

Executive Summary

Understanding the exclusions for microenterprises under the Digital Operational Resilience Act (DORA) is crucial for financial-sector entrepreneurs. This summary offers a concise view of specific provisions that reduce regulatory burdens:

  • Assignment of ICT Risk Management: Microenterprises are exempt from setting up an independent control function for ICT risk management, per Article 6(4).
  • Review of ICT Framework: There is flexibility in the frequency of reviewing ICT risk frameworks, with a periodic review for microenterprises instead of an annual one (Article 6(5)).
  • ICT Third-Party Risk Strategy: Microenterprises do not have to adopt or regularly review a strategy on ICT third-party risk, lightening their compliance load (Article 28(2)).
  • Risk Assessment: There’s no obligation for risk assessments after major changes in ICT systems for microenterprises, allowing more operational flexibility (Article 8(3)).

These points highlight the ways DORA tailors its requirements for smaller financial entities, enabling innovation without the full weight of regulatory oversight.


  • Entity Definition: It is assumed that “microenterprises” refer to entities that meet the definition under DORA or, where not defined in DORA, the common definition in EU law of an entity employing fewer than 10 persons and with an annual turnover and/or annual balance sheet total not exceeding EUR 2 million.
  • Scope of DORA: The key assumption is that DORA encompasses various financial entities, and the user is specifically interested in any exclusion clauses that pertain to microenterprises within the scope of this regulation.

Legal trace

DORA’s Applicability to Microenterprises and Specific Exclusions

”microenterprise” means a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million; Article 3(60)

The definition of a microenterprise according to DORA focuses on small financial entities that do not exceed specific employee and financial thresholds. Importantly, excluding entities like trading venues and central securities depositories suggests that the regulation targets the smaller and possibly less complex organizations for particular exemptions.

Financial entities, other than microenterprises, shall assign the responsibility for managing and overseeing ICT risk to a control function and ensure an appropriate level of independence of such control function in order to avoid conflicts of interest. Article 6(4)

Microenterprises are granted notable leniency in the managerial assignment of ICT risks. They are not required to institute an independent control function for overseeing ICT risks, relieving them from this structured protocol and the associated costs of maintaining such independence.

The ICT risk management framework shall be documented and reviewed at least once a year, or periodically in the case of microenterprises, as well as upon the occurrence of major ICT-related incidents… Article 6(5)

Flexibility is provided to microenterprises for the frequency of reviewing their ICT risk management frameworks. The annual mandate given to larger entities is moderated to a less stringent “periodic” review for smaller entities.

As part of their ICT risk management framework, financial entities, other than entities referred to in Article 16(1), first subparagraph, and other than microenterprises, shall adopt, and regularly review, a strategy on ICT third-party risk… Article 28(2)

In the area of ICT third-party risk, a key exclusion for microenterprises removes the obligation to adopt and regularly review a risk strategy, highlighting the scaled expectations and reduced compliance burden for these entities.

Simplified Frameworks and Regulatory Context for Exclusions

Articles 5 to 15 of this Regulation shall not apply to small and non-interconnected investment firms, payment institutions exempted pursuant to Directive (EU) 2015/2366; institutions exempted pursuant to Directive 2013/36/EU in respect of which Member States have decided not to apply the option referred to in Article 2(4) of this Regulation; electronic money institutions exempted pursuant to Directive 2009/110/EC; and small institutions for occupational retirement provision. Article 16(1)

Article 16 implicitly finesses the scope of obligations for certain smaller financial entities by stipulating a set of entities to which general provisions do not apply. Though it does not mention “microenterprises” explicitly, there is an insinuation that entities typically classified as microenterprises could be included within these exclusions provided they fall within the categories delineated.

Digital operational resilience testing requirements have been developed in certain financial subsectors setting out frameworks that are not always fully aligned. This leads to a potential duplication of costs for cross-border financial entities and makes the mutual recognition of the results of digital operational resilience testing complex which, in turn, can fragment the internal market. Recital 25

This rationale underscores the intent to avert excessive regulatory costs for microenterprises that may arise from fragmented and misaligned digital operational resilience frameworks, indicating the intention to create an internal market that is accommodating and protective of smaller organizations’ interests.

Summary of Found Exclusions

This Regulation does not apply to […] insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are microenterprises or small or medium-sized enterprises Article 2(3)(e)

DORA specifically excludes insurance, reinsurance, and ancillary insurance intermediaries classified as microenterprises from its entire scope. This presumes a regulatory understanding that such intermediaries lack the scale to manage the extensive requirements typically placed on their larger counterparts.

Financial entities, other than microenterprises, shall perform a risk assessment upon each major change in the network and information system infrastructure, in the processes or procedures affecting their ICT supported business functions, information assets or ICT assets. Article 8(3)

Significantly, microenterprises are not encumbered with the demand for conducting risk assessments following every major ICT system change, which acknowledges the operational and resource flexibility such enterprises need to maintain.

In conclusion, the exclusions envisaged by DORA for microenterprises signal a conscientious regulation that seeks to balance the needs for robust digital operational resilience within the financial sector with the practical realities and capacities of smaller entities. The specific exclusions serve to prevent disproportionate burdens that could otherwise undermine the operational stability and competitive position of microenterprises within the EU’s financial system.

PDF Repository

We have searched through the PDF repository of draft EBA and ESMA guidelines, draft technical standards, and other documents to provide this supplemental answer.


In light of a request for information on the exclusions envisaged for microenterprises by the Digital Operational Resilience Act (DORA), additional materials were examined to provide a supplemental answer. This detailed analysis sheds light on the regulatory considerations affecting microenterprises under DORA, emphasizing the application of the proportionality principle and its implications for these entities.

Legal trace

Understanding the Proportionality Principle Within DORA and Its Relevance to Microenterprises

Option A and partly B was considered. DORA already sets out a general requirement on the appropriate application of its requirements. The draft RTS further specify some of the criteria for the application of the proportionality principle that can be considered by financial entities and competent authorities when doing the proportionality assessment. (Final Report on Draft) Regulatory Technical Standards to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers as mandated by DORA, page 27

The above quote highlights the careful consideration given to the proportionality principle within DORA. It indicates that the regulatory standards and technical specifications are crafted to keep in mind the size and capabilities of different financial entities, including microenterprises. The implication here is that the exclusions for microenterprises may be founded on these proportionality assessments, ensuring that the burdens imposed are commensurate with the operational capacities of these smaller entities.

Governance Arrangements and Their Impact on Microenterprises Under DORA

The RTS requires that the internal responsibilities and all the associated skills, experience and knowledge are maintained within the financial entity to ensure an effective monitoring and oversight of the contractual arrangements. (Final Report on Draft) Regulatory Technical Standards to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers as mandated by DORA, page 22

The requirement of maintaining internal responsibilities and related competencies within a financial entity, as mentioned in the quote, underscores the emphasis on governance. For microenterprises, the less stringent regulatory oversight in this regard, as seen in the main DORA analysis, could suggest exempting them from some of these stringent internal control measures. This could translate to fewer obligations in terms of acquiring or maintaining certain levels of expertise in-house.

Due Diligence and Risk Assessment in the Context of Microenterprises

In addition, the Level 1 already foresees some exemptions for small entities. Some proportionality was also explicitly introduced regarding the due diligence to be performed when the ICT third-party provider is part of a group. (Final Report on Draft) Regulatory Technical Standards to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers as mandated by DORA, page 27

DORA, as observed in the outlined provisions, incorporates specific exemptions for microenterprises in alignment with these additional insights, signifying that the due diligence processes for financial entities when involving ICT third-party providers also take into account the realities of size and resource capability. Microenterprises hence benefit from a regulatory framework that reduces complexity, reinforcing the understanding that there are conditional amendments aligned with their scale.

Contractual Clauses and Their Operational Significance for Microenterprises

The policy shall specify that those contractual clauses shall always be in the contract and effective otherwise financial entities cannot use ICT third-party service providers. (Final Report on Draft) Regulatory Technical Standards to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers as mandated by DORA, page 25

This suggests a mandatory baseline for contractual agreements with ICT third-party service providers in DORA. While microenterprises are not exempt from entering such agreements, they may be subject to less onerous contractual terms than larger entities. This elucidation supports the understanding that microenterprises operate within a framework carefully tailored to prevent disproportionate compliance burdens while ensuring competitive fairness in the market.

Concluding Remarks on the Regulatory Landscape for Microenterprises

The insights from additional documentation related to DORA suggest a cohesive effort by regulators to align the act’s requirements with the practical capacities of various financial entities, especially microenterprises. The quotes clarify the regulatory environment with specific reference to the proportionality principle, governance expectations, due diligence, and contractual requirements. This approach ensures a protective yet unburdened inclusion of microenterprises in the financial sector’s digital operational resilience framework.