undefined

Add a bookmark to get started

Global Site
Africa
MoroccoEnglish
South AfricaEnglish
Asia Pacific
AustraliaEnglish
Hong Kong SAR ChinaEnglish简体中文
KoreaEnglish
New ZealandEnglish
SingaporeEnglish
ThailandEnglish
Europe
BelgiumEnglish
Czech RepublicEnglish
HungaryEnglish
IrelandEnglish
LuxembourgEnglish
NetherlandsEnglish
PolandEnglish
PortugalEnglish
RomaniaEnglish
Slovak RepublicEnglish
United KingdomEnglish
Middle East
BahrainEnglish
QatarEnglish
North America
Puerto RicoEnglish
United StatesEnglish
OtherForMigration
30 January 20254 minute read

European Commission clarifies definition of ‘ICT services’ under DORA

Executive Summary

If a financial entity provides a regulated service with an ICT component to another financial entity, does that service qualify as an ICT service under DORA?

This is an important question because qualifying a service as an ICT service means the collaboration between the entities has to comply with the comprehensive ICT third-party risk management rules set out in Regulation 2022/2554 (DORA).

On 22 January 2025, the Commission (finally) took a position, formally confirming the initial position of the joint European Supervisory Authorities. It takes the view that the regulated nature of a financial service with an ICT component performed by a financial entity means it won't qualify as an ICT service under DORA.

Only if the service is unrelated or is independent from the regulated activities of the financial entity, the regulated service with an ICT component will qualify as an ICT service under DORA.

The same conclusion applies for ancillary services with an ICT component if they're regulated or a service inseparable from, indivisible from, preparatory or necessary to provide a regulated service, and are not provided in a standalone manner.

 

European Commission clarifies definition of ‘ICT services’ under DORA

The Digital Operational Resilience Act, ie Regulation 2022/2554 (DORA), entered into force on 17 January 2025. It imposes a comprehensive regime on ICT risk management for financial entities.

The impact of these ICT requirements is significant. The financial industry is struggling to clarify whether the regime also targets regulated financial services comprising underlying ICT services, or whether they are, by their very nature, excluded from scope.

In essence, the question is whether a regulated service with an ICT component provided by one financial entity to another is governed by DORA ICT third-party management rules (in addition to existing financial regulation).

The European Commission has finally provided important guidance on the applicability of DORA regarding these services.

 

Existing uncertainty

DORA adopted a broad definition of “ICT services” to maintain a high level of digital operational resilience and to keep pace with technological developments.

According to article 3 (21) of DORA, “ICT services” means “digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services.”

Since ICT services are frequently offered as a component of regulated financial services, this broad definition might bring these ICT services in scope of the DORA regime in addition to existing financial regulation. To avoid double-regulation of these ICT services, some industry federations argued that regulated financial services, including any ancillary or delegated ICT services, shouldn’t be treated as ICT services for the purpose of DORA. (See Joint Statement on DORA & definition of ICT Services)

Although the European Supervisory Authorities (ESAs) endorsed this interpretation in former Q&A about the ESAs 2024 DORA Dry Run exercise, the ESAs repealed the relevant responses in the course of July 2024. The ESAs announced they would liaise with the European Commission via the formal Q&A procedure under the ESA Regulations to provide guidance in this respect.

 

European Commission's position sheds light on what constitutes an ICT service

On 22 January 2025, the European Commission issued guidance on the applicability of DORA to ICT services as a component of regulated financial services. The European Commission broadly reconfirmed the repealed statements of the ESAs.

The European Commission stated that if a regulated financial entity provides ICT services to other (regulated) financial entities in connection to their regulated financial services, the related ICT services predominantly constitutes financial services and shouldn’t be treated as an ICT service within the meaning of DORA Article 3(21).

The European Commission also extended the reasoning to ancillary services:

“The same rationale applies to ancillary services provided by an entity, depending on whether such ancillary services are regulated financial services or a service inseparable from, indivisible from, preparatory or necessary for the provision of a regulated financial service, and are not provided in a standalone manner.”

Although the guidance published in the Q&A is, in principle, not binding, it provides more legal certainty on the qualification of ICT services related to regulated financial services under DORA.

Considering this regulatory development, financial entities should reassess whether DORA applies to ICT services received from other financial entities and, as applicable, amend internal ICT third-party risk management policies and procedures and review related ICT contracts.

Our dedicated Financial Services and Insurance department is following this development closely. Get in touch if you have any questions.