Share

24 Jan 2025

The European Commission clarifies the definition of ICT services under DORA

briefing

Financial Regulation


Introduction

On 22 January 2025, the European Insurance and Occupational Pensions Authority (EIOPA) published a new Question and Answer providing welcome clarification from the European Commission on the definition of ‘ICT services’ under the Digital Operational Resilience Act (DORA).

There has been divergence among industry stakeholders to date regarding the interpretation of the definition of ‘ICT services’ under DORA, particularly where one financial entity provides one or more financial services with an ICT component to another financial entity.

Question ID No 2999 clarifies as follows:

“Financial services may entail an ICT component. In the case that financial entities provide ICT services to other financial entities in connection to their financial services, the receiving financial entities should assess whether i) the services constitute an ICT service under DORA, and ii) whether the providing financial entities and the financial services they provide are regulated under Union law or any national legislation of a Member State or of a third country. In case both tests are positive, then the related ICT service should be considered to predominantly be a financial service and should not be treated as an ICT service within the meaning of DORA Article 3(2).

In case the service is provided by a regulated financial entity providing regulated financial services but is unrelated or is independent from such regulated financial services, the service should be considered as an ICT service under Article 3(21) DORA.

The same rationale applies to ancillary services provided by an entity, depending on whether such ancillary services are regulated financial services or a service inseparable from, indivisible from, preparatory or necessary for the provision of a regulated financial service, and are not provided in a standalone manner”.

An analysis of each of the services provided by the financial services provider should therefore be carried out to determine whether or not each such service falls outside the scope of an ICT service, on the basis of the above clarification provided by the European Commission.

DISCLAIMER: This document is for information purposes only and does not purport to represent legal advice. If you have any queries or would like further information relating to any of the above matters, please refer to the contacts above or your usual contact in Dillon Eustace.


Copyright Notice: © 2025 Dillon Eustace LLP. All rights reserved.

Key Contacts