Page Contents
Key contacts
Related areas
The European Commission[1] has clarified the scope of the definition of “ICT services” in Article 3(21) of the Digital Operational Resilience Act (DORA).
Background
There has been ongoing debate regarding the scope of the definition of “ICT services” under DORA, even in the final push towards the DORA implementation date (17 January 2025). This led to real practical challenges for financial entities[2] as they sought to have their ‘DORA contracts’ finalised in time for the DORA implementation date. In practice, this meant that many financial entities felt forced to either adopt an inclusive approach to the definition or alternatively adopt a ‘wait and see’ approach, taking some key preparatory steps to manage the ICT risk arising from the relationship even in the absence of a full ‘DORA contract’.
In October 2024, industry stakeholders called on the European Supervisory Authorities to issue guidance on the scope of the definition, as discussed in our previous client insight. Subsequently, in January 2025, industry stakeholders urged the European Commission to provide similar clarification.
Clarification on the definition of “ICT services”
The European Commission has confirmed the following points on the “ICT services” definition in Article 3(21) of DORA:
1. The definition should be understood in a broad manner to the extent that such services encompass digital and data services provided through ICT systems on an ongoing basis. In this regard, the assessment that financial entities conduct to determine whether the services they rely on are “ICT services” should be performed taking into account recital 63 of DORA. Recital 63 provides that DORA covers a wide range of ICT third-party service providers, including financial entities providing ICT services to other financial entities.
2. Where a financial entity provides ICT services to another financial entity in connection with the financial services it provides, the receiving financial entity should assess:
If both assessments are positive, the related ICT service should be considered to predominantly be a financial service and should not be treated as a DORA “ICT service”.
3. Where a financial entity provides a service that is unrelated to, or is independent from, the regulated financial services it provides, the service should be considered a DORA “ICT service”.
4. In relation to the provision of ancillary services, “the same rationale applies…depending on whether such ancillary services are regulated financial services or a service inseparable from, indivisible from, preparatory or necessary for the provision of a regulated financial service, and are not provided in a standalone manner”.
Commentary
The Commission’s clarification is welcome in that it recognises the reality that financial services are largely delivered electronically and inevitably supported by ongoing ICT services, such as for example information management platforms.
One point, however, that will be the subject of debate in the coming weeks is whether the Commission’s statement, summarised at paragraph two above, leaves space for a view to be taken that regulated financial services provided by (i) third country firms and (ii) domestically regulated firms fall within this ‘financial services carve out’ from the scope of DORA “ICT services”. There seems to be a potential conflict between referring to services provided by “financial entities” on the one hand whilst referencing whether the “financial entities” and the financial services they provide are regulated domestically or in a third country. This will be one of the points for discussion at our upcoming Regulatory Series webinar ‘DORA day one – Where are we and what next?’ which you can register for here.
From an Irish perspective, the Central Bank of Ireland (CBI) indicated at its ‘DORA Industry Briefing’ in November 2024 that the ‘carve-out’ was not expected to cover the ICT elements of regulated financial services provided by third country regulated entities or regulated financial services provided under a domestic authorisation. The CBI also signposted that it would publish an FAQ document following the Industry Briefing. It will be interesting to see whether the CBI adds any additional colour, in light of the Commission’s clarification.
For further information on DORA and its impact on your firm, please contact Patrick Brandt, Partner, Ciara Brady, Senior Associate, Louise Hogan, Senior Associate, Sarah Lee, Senior Knowledge Lawyer or any member of ALG's Financial Regulation Advisory team, or alternatively, visit ALG’s DORA Hub.
Date published: 29 January 2025
[1] The clarification has been published by the European Insurance and Occupational Pensions Authority via Q&A.
[2] A “financial entity” is defined in DORA as including but not limited to the following EU entities: a bank, payment services provider, MiFID investment firm, management company, crypto-asset service provider, central securities depository, central counterparty, trading venue etc.
