The European Insurance and Occupational Pensions Authority recently published the European Commission’s response (Q&A 2999) on the question of which services fall under the definition of “ICT services” under Article 3(21) of the EU Digital Operational Resilience Act (DORA). This guidance was highly anticipated by the financial services sector to clarify the distinction between information communication and technology (ICT) services and financial services.
“ICT Services” Under DORA
The definition of “ICT services” is integral to determining the scope of services subject to DORA’s regulatory framework.
Article 3(21) of DORA defines “ICT services” to mean “digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services”.
Q&A 2999
Q&A 2999 confirms that the definition of “ICT services” under DORA is intentionally broad and the onus is on a financial entity to assess whether the services it relies on are ICT services. Such assessment should be performed taking into account the general position referred to in Recital 63 of DORA, which specifies that DORA covers a wide range of ICT third-party service providers, including financial entities providing ICT services to other financial entities, and without prejudice to sectoral regulations applicable on regulated financial services.
Notably, Q&A 2999 provides that, in the case of financial services with an ICT component, the receiving financial entity should assess:
- whether the services constitute an ICT service under DORA; and
- if the providing financial entity and the financial services it provides are regulated under EU law or any national legislation of a Member State or of a third country.
If the answer to both items (a) and (b) above is yes, then the related service should be considered as predominantly a financial service, and not an ICT service within the scope of DORA.
Conversely, where the service provided by a regulated financial entity is unrelated or is independent from its regulated financial services, the service should be considered as an ICT service within the scope of DORA.
Conclusion
Q&A 2999 provides a timely clarification for financial entities receiving services from other regulated firms. Q&A 2999 explains that certain regulated financial services and ancillary activities remain out of scope and are not considered ICT services under DORA and, therefore, do not need to be included in internal registers of financial entities. This also applies to entities regulated in third countries. However, ICT services provided by financial entities that are unrelated to or independent of regulated financial should be classified as ICT services under DORA.
Q&A 2999 is available here.
