Page Contents
Key contacts
Related areas
A number of financial market representative bodies (including AFME, EACH and ECSADA) recently issued a joint statement in which they call on the European Supervisory Authorities (ESAs) to clarify that regulated financial services should not be treated as ‘ICT services’ for the purpose of the Digital Operational Resilience Act (DORA).
Background
There has been ongoing divergence among industry stakeholders regarding the interpretation of the definition of ‘ICT services’ in Article 3(21) of DORA and, consequently, over when financial entities may be seen as ICT third-party service providers for the purposes of DORA.
In an FAQ document on the ESAs’ ‘Dry Run’ exercise for reporting of registers of information, which was first published in May 2024 and updated on 4 July 2024 (see here), the ESAs’ initial response to question 74 stated that “in case a financial entity must be authorised/licenced/registered as a financial entity to deliver a service, such service is therefore a regulated financial service and not an ICT service in the meaning of DORA Article 3(21)”.
However, on 29 July 2024, the ESAs amended the response in a further updated version of the FAQ document (see here). The response no longer comments on whether a regulated financial service is an ‘ICT service’. The ESAs state that “[g]iven the number of questions received on the interpretation of ICT services and ICT service providers received from stakeholders requiring a legal interpretation, in order to provide legal certainty, the ESAs having liaised with the European Commission have agreed to respond to these questions via a formal Q&As in due course.”
Industry bodies’ joint statement
In their joint statement, the industry bodies welcome the intention of the ESAs to clarify the definition of ‘ICT services’. While the industry bodies note that the ESAs and European Commission are in the process of reviewing the FAQ responses, they urge the ESAs to “as soon as possible” reinstate the guidance confirming that regulated financial services should not be treated as ‘ICT services’ for the purpose of DORA and clarify that regulated financial services include “any services and activities subject to the supervision of a financial services regulator including any ancillary or delegated services (as opposed to stand-alone ICT services)”.
The industry bodies state that such clarification would “ensure that financial entities need to treat services provided by other financial entities as ICT services under DORA only if such services are primarily ICT-focused in their nature and purpose, such as cloud computing services, software, and data service centres as specified in Article 3(21) and Recital 79 DORA”. They also note that such an approach would be consistent with a proportionate and risk-based approach.
For further information on DORA and its impact on your firm, please contact Patrick Brandt, Partner, Ciara Brady, Senior Associate, Louise Hogan, Senior Associate, Sarah Lee, Senior Knowledge Lawyer or any member of ALG's Financial Regulation Advisory team.
Date published: 17 October 2024
