DORA also applies to the "financial entities" listed in Article 2 DORA. This includes investment firms as defined in Article 4 point (1) of Directive 2014/65/EU. Reference is made to Article 2 subsection 1 under e. in conjunction with Article 3 point (33) of DORA. Does this mean that DORA also applies to investment firms with their seats outside the EU which provide investment services in the EU?

Our understanding is that a business can rely on the exemption under either Article 3(60) micro enterprise, (63) small enterprise or (64) medium-sized enterprise categories under DORA. We have however not been able to find clear information on which accounting standard that should be used when calculating annual turnover under DORA. In addition, our analysis has not shown that the Commission Recommendation 2003/361/EC on small and medium-sized enterprises provides any guidance on the question of which accounting standard can be used.
In a recent informal call with the Swedish FSA, we were informed that, when calculating the turnover of an entity to determine whether it falls under the SME exemption under DORA, the entity should use the same accounting standards that were used to draw up the relevant audited accounts. Thus, if IFRS is applied by the national entities, the relevant entity shall use the same basis (IFRS) to calculate the relevant national turnover. Is this also ESMA's view?

Are service providers that are financial entities, in particular GPW, KDPW, IRGiT Banks, foreign entities that are financial institutions ICT service providers? The service does not concern the provision of ICT services, but e.g. maintaining a bank account.

Financial entities select ICT service providers based on risk assessment, taking into account the business continuity plan and a number of national and sectoral regulations regarding cybersecurity. In addition to standard contractual relationships with entrepreneurs, there are also solutions that financial entities use:
a) on the basis of a license, e.g. open source. The license provisions are not negotiated, and the service is not individually parameterized for the investment company. The investment company has no influence on the shape of the service and the license provisions. The licenses contain provisions regarding automatic update of the tool, but do not contain provisions regarding, e.g. support or SLA, e.g. Adobe Acrobat Reader;
b) web applications, e.g. Lex/Legalis systems (review of legal acts), which employees access via a browser, the agreement does not involve installing the application on the employee's computer, but only providing a specified number of licenses for use by the company, or a web system for registering correspondence in the case of ordering a courier;
c) providers of employee benefits, e.g. medical care. They are not directly related to the company's business, employees use the application on private devices and log in with a private email address, while registration is necessary for the medical company to create an account for the employee;

Is it possible to apply the principle of proportionality, provided for in the DORA regulations, which will allow for proper identification of risks and the application of proportionate mitigants in the case of the above-mentioned services? In the opinion of the financial entity, the application of all the obligations indicated in the DORA regulations, in particular those concerning contractual provisions and reporting obligations, is disproportionate to the risk generated by the above solutions. The financial entity does not deny the need for each case of evaluation of the solution and review of its correct functioning, the number of entities in relation to which these obligations would have to be performed may affect the quality of the duties performed.

Are the services supporting a critical or important function all the services used as part of performing this function, including those that are quickly and relatively cheaply replaceable (e.g. Adobe Acrobat Reader, 7ZIP, e-mail encryption program)?

DORA Article 3(28) excludes natural persons from the definition of 3rd country subcontractors, does the same apply to EU Subcontractors?