Clarifying the treatment of ICT-enabled financial services under DORA

Although the Digital Operational Resilience Act (DORA) has applied to EU financial entities since 17 January 2025, there remain several areas of uncertainty. Among these is the treatment of ICT services provided by one financial entity to another, which we previously covered in this article where we explored the debate and possible scenarios.

In summary, recital 63 of DORA clarifies that financial entities providing ICT services to other financial entities are considered ICT third-party service providers. Although it is straightforward when dealing with standalone ICT services, it becomes complex when financial services include ICT components. Initially, ESA's July 2024 FAQ advised that such integrated services would not be treated as ICT services, but this guidance was later withdrawn, causing uncertainty ahead of the implementation date. Consequently, many firms continued to rely on the withdrawn guidance, with trade associations urging the Commission to reinstate the advice to provide more certainty to firms preparing for DORA compliance.

What’s new?

The European Insurance and Occupational Pensions Authority (EIOPA) has now published a formal Q&A 2999 which sets out the Commission's comments. The Commission confirms that:

• DORA’s definition of ICT services is intentionally broad and the onus is on financial entities to assess whether the services they rely on are ICT services.
• This assessment should be performed taking into account the general position referred to above, in other words that DORA covers a wide range of ICT third-party service providers, including financial entities providing ICT services to other financial entities.
• In the case of financial services with an ICT component, the receiving financial entity should ask whether a) the services constitute an ICT service under DORA and b) the providing financial entity and the financial services it provides are regulated under Union law or any national legislation of a Member State or of a third country.
• If the answer to both questions is yes, then the service should be treated as predominantly a financial service, and not an ICT service within the scope of DORA.
• Conversely, where the service provided by a regulated financial entity is unrelated or is independent from its regulated financial services, the service should be considered as an ICT service within scope of DORA.

Q&A 2999 provides a timely and much needed clarification for financial entities receiving services from other licensed firms. In particular, the clarification that the providing financial entity can be under an EU, national or third-country regime is welcome.