Lesson series
Exemptions for micro-enterprises
Since January 17, 2025, the Digital Operational Resilience Act - better known as DORA - has been fully enforceable across the European Union. Banks, insurers, payment institutions and a wide range of other financial entities now face binding obligations around cybersecurity and IT risk management. But what about the smallest players? A microenterprise, as defined under Article 4(60) of DORA, is a very small business with fewer than ten employees and an annual turnover or balance sheet total that does not exceed two million euros. These firms benefit from targeted exemptions - but the picture is more nuanced than many assume.
DORA's main goal is to unify and extend existing standards and requirements at both European and national level, creating a comprehensive and harmonized framework to ensure the continuity of financial activities in the face of cyberattacks and to strengthen digital operational resilience across financial entities.
The regulation applies to a broad spectrum of financial firms - from traditional banks to crypto-asset service providers. In line with a general principle of proportionality, in-scope financial entities are required to comply with DORA by taking into account their size and overall risk profile, as well as the nature, scale and complexity of their services, activities and operations.
However, not every small firm automatically qualifies as a microenterprise under DORA. Trading venues, central counterparties, trade repositories and central securities depositories are not exempt even if they meet the microenterprise criteria. This distinction matters enormously in practice.
Microenterprises are subject to the comprehensive ICT risk management framework and are exempted only from certain requirements. They are not obligated to assign a role to monitor arrangements with ICT third-party service providers or to designate a member of senior management for overseeing ICT risk. They are also not required to maintain a crisis management function for business continuity plan activation.
When it comes to testing requirements, the relief is substantial. Financial entities excluding microenterprises must establish a comprehensive digital operational resilience testing program to evaluate preparedness for ICT incidents and identify weaknesses. Microenterprises are spared from this obligation. Similarly, the requirements for threat-led penetration testing under Articles 26 and 27 of DORA do not apply to microenterprises, nor do the ICT third-party risk management rules under Articles 28 to 30.
Other small financial entities - such as small and non-interconnected investment firms or small institutions for occupational retirement provision - benefit from a different kind of relief: a simplified ICT risk management framework. In practical terms, the ICT risk management requirements under this simplified framework are condensed from fifteen articles down to one. It is important to understand that microenterprises do not automatically fall under this simplified framework - they operate under the full framework, but with specific carve-outs.
Being a microenterprise does not mean being exempt from DORA altogether. Micro and small enterprises are targeted by cybercriminals as much as their larger counterparts, yet many remain unprepared due to a lack of resources, budgets and skills. The regulation acknowledges this vulnerability - which is precisely why it still imposes baseline obligations.
Microenterprises in the financial sector remain required to maintain a basic ICT risk management framework and document it adequately. They must report major ICT-related incidents to their national supervisory authority - in Germany, this is BaFin. They must ensure that contracts with IT service providers meet minimum security standards. And they must be able to demonstrate compliance if supervisors request information.
Whether statutory exemptions apply must be assessed on a case-by-case basis. Even without a specific statutory exemption, the extent of measures a financial firm must undertake can vary considerably depending on its individual risk profile. A microenterprise providing payment services in a niche market may face a very different practical compliance burden than one acting purely as an insurance intermediary.
DORA's proportionality principle is a genuine relief for smaller financial firms - but it is not a blanket exemption. The regulation asks every entity, regardless of size, to take digital resilience seriously. For microenterprises, the obligations are lighter - but they are real. The smartest first step is a straightforward internal audit: Which IT systems are in use? Who are the key external providers? What incidents would need to be reported? Answering these questions honestly is the foundation of DORA compliance for any small financial firm operating in Europe.
As supervisory authorities across the EU continue to ramp up enforcement activity throughout 2025 and beyond, the window for informal preparation is narrowing. Small does not mean invisible - and in the eyes of European financial regulators, every entity in scope has a responsibility to be resilient.
Quellen
European Union, Verordnung (EU) 2022/2554 - Digital Operational Resilience Act (DORA), Amtsblatt der EU, Dezember 2022
BaFin - Bundesanstalt für Finanzdienstleistungsaufsicht, DORA-Informationsseite
Norton Rose Fulbright, "Digital Operational Resilience for the Financial Sector: 10 Things to Know"
Grant Thornton Deutschland, "DORA-Verordnung der EU: Was jetzt fur Unternehmen wichtig ist"
KPMG Klardenker, "DORA - auch nach dem Stichtag bleibt 2025 viel zu tun"
Eris Law, "DORA Compliance for Microenterprises: Key Articles and Exemptions"
