European regulators recently published clarifications on the scope of ICT services under the EU Digital Operational Resilience Act (DORA), prepared by the European Commission, which confirms previous guidance and enables financial entities to take out of scope certain services which form part of regulated financial services.
In our recent blog post, we noted that scoping challenges of what constitutes “ICT services” has been a key trend arising from DORA compliance programs. Another key consideration has been that financial entities themselves may act as ICT service providers to other financial institutions, which requires a holistic view to be taken of the contract positions such entities take with their ICT service providers against those given to their customers.
The latest clarifications, which are provided by the European Commission and published by the European Insurance and Occupational Pensions Authority, addresses both points:
(i) The European Commission states that ICT services should be understood in a broad manner and cover a wide range of third-party ICT service providers “to the extent that such services encompass digital and data services provided through ICT systems and on an ongoing basis.” In other words, within scope are those digital and data services provided through ICT systems and on an ongoing basis, and only to that extent. This is not new and does not change existing guidance, but rather confirms previous guidance provided by European regulators that there must be services provided on an ongoing basis. For example, in response to July 2024 FAQs, given in the context of submitting registers of information, EU regulators stated that one-time purchased software (a single, static solution) without ongoing maintenance, support, or updates is not considered an ICT service.
(ii) An ICT service (i.e., satisfying limb (i) above) that is provided by another financial entity as part of a regulated financial service—whether regulated under European Union, member state, or third country law—is considered out of scope of DORA. The test is whether or not the ICT service is “unrelated or is independent from such regulated financial services”—if not, the related ICT service should be considered to predominantly be a financial service and should not be treated as an ICT service under DORA.
In addition, the European Commission states that the rationale in limb (ii) above also applies to what it calls “ancillary services” to regulated financial services, depending on whether such ancillary services are “inseparable from, indivisible from, preparatory or necessary for the provision of a regulated financial service, and are not provided in a standalone manner.” In other words, if the answer to any of those descriptions is “yes,” then the ICT service should be considered a financial service and not treated as an ICT service under DORA.
However, this requires further clarity from the European Commission because there is clearly a difference between technology or a service that is inseparable or indivisible from a regulated financial service (which arguably is not “ancillary” and so would be addressed under limb (ii) above) and one that is simply preparatory for such provision yet not provided in a standalone manner (which is ancillary but could also take out of scope a significant amount of ICT services given the increasing digitization of financial services). For example, ancillary technologies that are integrated within regulated payment services, payment infrastructure, or execution platforms between financial entities could be taken out of scope by this guidance.
Conclusion
The European Commission’s confirmation of previous regulatory guidance on the key principles of ICT services is helpful and will likely streamline financial entities’ reporting and contractual obligations.
The clarifications will also help financial entities reduce overlapping regulatory burdens for essentially the same regulated services, although some may lament receiving this confirmation after the DORA compliance deadline and so close to the deadline(s) for submitting registers of information in Q1 2025. However, more clarity is needed on the concept of “ancillary services” to assist practical implementation, and as such firms should adopt a risk-based approach to those technologies and services for now.