Regulating ICT-enabled financial services under DORA

Under the Digital Operational Resilience Act (DORA), financial entities are subject to strict risk management requirements when procuring ICT services from third-party vendors that underpin their financial services and operations (see our DORA Podcast Series for more information on this and other elements of DORA.)

The position under DORA (recital 63) is that a financial entity that provides ICT services to other financial entities will in principle qualify as an ICT third-party service provider. That position is clear where it concerns standalone ICT services but less clear where it concerns ICT services that are an integral part of the financial services provided by a financial entity to other financial entities.

Take, for example, a financial entity that offers other financial entities access to an online trading venue for conducting transactions in securities or other financial instruments, which is a regulated financial service. Should that financial entity be considered an ICT third-party service provider under DORA in respect of the ICT functionalities (like the matching engine, front-end software platform, or APIs) that are provided as part and parcel of that financial service?

A positive answer will considerably increase the regulatory burden under DORA for the financial entities that provide and receive ICT-enabled financial services.

The debate

This question about the scope of ICT third-party risk management requirements under DORA has sparked considerable debate.

The European Supervisory Authorities (ESAs) initially took the position that a regulated financial service – including its integrated ICT service functionalities – does not qualify as an ICT service under DORA (see their responses to questions 74 and 75 in an FAQ - document of 4 July 2024). However, the ESAs subsequently revised their position, indicating that formal guidance would be issued after alignment with the European Commission (see their revised responses to the aforementioned questions in the updated FAQ - document of 29 July 2024).

In the meantime, a group of financial entities have issued a joint statement on 1 October 2024 via their trade associations, urging the European Commission and the ESAs to reinstate the guidance confirming that regulated financial services should not be treated as ICT services under DORA.

Exploring the scenarios

The case for exclusion: Advocates for exempting financial services from ICT third-party risk management requirements under DORA argue that it leads to redundant regulatory oversight, as these services already carry ICT-related risk management obligations under DORA and other regulatory frameworks. For example, trading venues must comply with specific ICT resilience requirements under the MiFID II Directive (see Articles 17, 18 and 48 MiFID II), in addition to DORA. In this context, it can be argued that the reasoning outlined in DORA (see recital 78) for exempting financial entities from being designated as critical ICT third-party service providers (i.e., because those entities are already subject to supervisory oversight established by relevant financial services laws in the EU), should similarly apply here.

The case for inclusion: Conversely, one could argue that the principle of proportionality under Article 28(1) DORA allows to recognise that the ICT services in question are integrated with regulated financial services and that the financial entities providing these services are already subject to regulatory operational resilience obligations. Therefore, a complete exemption might not be necessary. Instead, a financial entity receiving ICT-enabled financial services from another financial entity could adopt a balanced approach when implementing measures to address any third-party ICT risks associated with the relevant financial services.

Looking ahead

The financial sector awaits definitive guidance from the European Commission and the ESAs on this important issue. The anticipated direction seems to align with the industry's joint statement, yet the final outcome remains to be seen.