Search

Considering that insurance and reinsurance intermediaries and ancillary insurance intermediaries are not obliged by law to setup a dedicated legal entity to carry out insurance distribution and therefore some of them may have a principal professional activity other than insurance distribution, how should the calculation of the thresholds defined in DORA Article 2(3) point (e) for exclusion of those intermediaries which are micro, small or medium enterprises be interpreted?

Is Regulation (EU) 2022/2554 (DORA) applicable to third-country branches in an EU country, if in the third country where their head office is established they would qualify as entities listed under under Article 2(1)(a), (n) or (o)?

The regulation applies to managers of alternative investment funds according to Article 2, point (k) of DORA. According to Article 3, (point 44), of DORA a manager of alternative investment funds is defined as “a manager of alternative investment funds as defined in Article 4(1), point (b), of Directive 2011/61/EU”.
According to Article 4(1), point (b), of Directive 2011/61/EU (AIFM Directive) “AIFMs’ means legal persons whose regular business is managing one or more AIFs”. We are of the understanding that Article 4(1), point (b), does not exclude non-EU AIFM. EU AIFM and non-EU AIFM are defined in Article 4(1), point (L) and point (ab). Since DORA only refers to article 4(1), point (b), of the AIFM Directive and not to article 4(1), point (L), we are wondering if DORA applies to both EU and non-EU AIFM as the definition implies.

As DORA requires financial entities to pre-determine the frequency of audits and inspections on the basis of a risk-based approach, are financial entities not permitted to agree on a maximum audit frequency (e.g. once per year) with their ICT third-party service providers?

Which alternative investment fund managers (AIFMs) are captured within the scope of application of DORA under Articles 2(1)(k) and 2(3)(a) of DORA?

Do the requirements of the Digital Operational Resilience Act (DORA) apply to Virtual Asset Service Providers (VASPs) that are not classified as Crypto-Asset Service Providers (CASPs) under the Markets in Crypto-Assets Regulation (MiCAR) as of December 30, 2024 and are benefiting from the MiCAR transition period?"

Is there a detailed list of critical or important functions from a DORA perspective?

What is the level of engagement required for an ICT service to be considered as “support[ing] critical or important functions”?

Is the term “critical or important function” as defined in DORA to be understood as being equivalent to “critical or important functions or activities” under the Solvency II regime? If not, which functions are to be considered as critical or important for insurance companies?

Based on the definition of DORA Article 3(21), what types of services should be considered ICT services?