The European Commission has now published its long-awaited additional guidance on how to determine whether a service received from a financial entity should be classified as an ‘ICT Service’ within the meaning of DORA.

Financial Services vs. ICT Services

The definition of ‘ICT services’ under DORA is intentionally broad, and encompasses digital and data services provided through ICT systems on an ongoing basis. However, given that nearly all services have an ICT component, the question outstanding has been whether DORA should also be applied to digitally-backed financial services.

The European Commission has now addressed this question, setting out that in order to be considered an ICT Service for the purposes of DORA and the Register of Information, the following two tests must be applied to each service received:

1. Does the services constitute an ICT service under DORA; and
2. Is the service provided by a financial entity and are the financial services being provided regulated under EU law or any national legislation of a Member State or of a third country.

In cases where both tests are positive, then the services received should be considered to predominantly be a financial service and should not be treated as an ICT service within the meaning of DORA .

What does this mean in practice?

Following the guidance issued by the European Commission, financial entities can now confidently de-scope those delegates and other outsourced service providers who perform regulated financial services on their behalf. However, it is important to recognise that both the financial entity and the services in question must be regulated under EU Law, national legislation or Non-EU law for this exemption to apply.

The European Commission has confirmed that where an ICT service is received from a financial entity which is unrelated or independent from the regulated financial service, such ICT services will still be subject to the full requirements of DORA and should be recorded in the Register of Information accordingly.

Next Steps

Given the fast-approaching submission deadline for the Register of Information, it will be important for all financial entities to reassess the identification, classification and mapping processes they have applied to their business functions to ensure that they clearly distinguish between the financial services and ICT services they receive from both intragroup and external third parties.  Where a financial entity has been engaged to provide a range of services, it will also be necessary to review each service individually and assess whether any may separately constitute an ICT Service.

Arthur Cox will be releasing further guidance to financial entities over the coming days to support the implementation of this assessment in the form of a new annex to the Arthur Cox DORA Toolkit. If you would like more information on the DORA Toolkit, please do not hesitate to contact your usual Arthur Cox contact(s), or any member of the Governance and Consulting Services or Technology and Innovation teams to discuss how we can help you.