How to tell if your product falls under DORA’s critical ICT scope?

Assess your DORA exposure

How to tell if your product falls under DORA's critical ICT scope

Under DORA Article 31, the three European Supervisory Authorities — EBA, ESMA, and EIOPA — jointly assess ICT providers and designate which ones are “critical.” That designation triggers a formal oversight regime.

But that doesn’t mean you should wait passively. If your product serves financial institutions in the EU, understanding the criteria now lets you prepare — or restructure — before a designation lands.

The five criteria the ESAs use (Article 31)

Systemic impact

Would your failure destabilise the financial system or disrupt critical financial services?

No of Clients

How many financial entities in the EU rely on your service — and how significant are they?

Substituability

Could your clients switch providers quickly without disruption? Low substitutability = higher criticality.

Cross-border reach

Services active across multiple EU member states attract more regulatory attention.

Interdependence

Is your service embedded in other critical systems or chains? Cascading failure risk is weighed heavily.

Quick self-assessment — tick what applies to your product

This Can Be Secondary Heading

You serve EU-regulated financial institutions

Banks, insurers, investment firms, payment providers, crypto platforms, etc.

Your service supports a critical or important function

Core banking, payments processing, trading infrastructure, data reporting, customer authentication.

Multiple financial entities depend on the same system

Shared infrastructure, multi-tenant SaaS, or sector-wide data services amplify systemic risk.

Switching away from your product would be difficult

Deep integrations, proprietary formats, long migration timelines, or no comparable alternative.

You operate across more than one EU member state

Cross-border services increase regulatory visibility and systemic concern.

An outage in your product would cause a cascade

If your downtime would trigger failures in your clients' own services or reporting obligations.

What "critical" designation actually means in practice

If designated, your organisation is assigned a Lead Overseer — one of EBA, ESMA, or EIOPA — depending on the type of financial entities you serve. That authority can request information, conduct investigations, issue recommendations, and impose penalty payments for non-compliance.

You will also be required to maintain an EU establishment if you are headquartered outside the bloc — a structural commitment many non-EU cloud and SaaS providers were not anticipating.

DORA Nano Learnings. Developed by Vandy, Proofread by Claude.ai