With the Digital Operational Resilience Act (DORA), the EU has set new standards for managing ICT risk in the financial sector. It not only addresses operational risk associated with ICT infrastructures within financial entities but also responds to the financial industry’s heavy use of ICT third-party service providers. To that end, it requires financial entities to implement a nuanced ICT third-party risk management and provides for an avalanche of rules which are highly prescriptive both on the level of governance and procedural requirements as well as with a view to mandatory terms of ICT service agreements.
In this context, DORA’s regulatory perimeter is defined by the notion of “ICT services”, i.e., digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis (including hardware as a service and hardware services such as the provision of technical support via software or firmware updates by the hardware provider, and excluding traditional analogue telephone services).
DORA’s recitals clarify that the concept of “ICT services” is intended to be construed broadly to keep pace with technological developments and that it shall refer not only to ICT services provided by tech companies but also to ICT services provided by (financial) group companies and other financial entities. The recitals particularly name ICT driven payment-processing activities and payment infrastructures which may be considered in-scope services. In other words, the required ICT third-party risk management framework under DORA is not limited to a certain group of technology service providers such as cloud computing providers or data center operators, but it may also encompass banks, insurance companies and other financial entities to the extent they provide ICT services to other financial entities. The non-tech nature of a service provider does not release financial entities from DORA’s ICT risk management requirements and any service agreements must, in principle, comprise the same mandatory terms as if the agreement were concluded with a tech company.
Nevertheless, one may raise the question whether any service with an ICT element provided by a financial entity to another financial entity necessarily triggers DORA’s ICT third-party risk management requirements. Considering the many digital elements of financial services this would mean that financial entities often qualify as ICT third-party service providers when they provide financial services to each other.
In a recent Q&A issued by EIOPA (2999 - DORA030), the European Commission has shed some light on this question. It has clarified that where financial entities and their financial service are regulated under EU or national law of a member state or third country, their service should not be treated as an ICT service irrespective of any ICT components:
“In the case that financial entities provide ICT services to other financial entities in connection to their financial services, the receiving financial entities should assess whether i) the services constitute an ICT service under DORA, and ii) whether the providing financial entities and the financial services they provide are regulated under Union law or any national legislation of a Member State or of a third country. In case both tests are positive, then the related ICT service should be considered to predominantly be a financial service and should not be treated as an ICT service within the meaning of DORA Article 3(21).”
The same shall apply to ancillary services. Financial entities shall assess whether such services are regulated financial services or a service inseparable from, indivisible from, preparatory or necessary for the provision of a regulated financial service, and are not provided in a standalone manner, in which case they should not be classified as ICT services. By contrast, ICT services which are unrelated or independent from the regulated financial services offered by a financial entity as service provider, they should be considered in-scope.
While there is no public information available on the rationale of this clarification, it appears intuitive to exclude regulated financial services from ICT third-party risk management given that they are not only supervised from a financial services perspective but also entail that the service provider is itself ICT regulated under DORA. If such financial services were in-scope ICT services from the perspective of the service recipient, this would lead to an arguably unnecessary duplication of (ICT) regulation in respect of a single service.
However, the exact implications of the Q&A for financial services received by financial entities may require further considerations and may need to be assessed on a case-by-case basis in light of DORA’s regulatory rationale. To begin with, the Q&A does not provide for a definition of “financial services”. This may entail uncertainties particularly with a view to the classification of services which have not been captured by the financial services typologies used by DORA or the broader EU financial acquis. There may also be rather “unfinancial” services which nevertheless are addressed by financial regulatory rules to a certain extent and may therefore be considered eligible to be exempted.
This leads to the question of what “being regulated” translates into practically. For instance, financial services provided amongst financial entities may as such be exempted from the financial regulatory perimeter, although they are generally recognised as regulated financial services (e.g., services provided on the basis of a statutory license exemption). The Q&A is ambiguous as to what extent it requires the service to be actually regulated and supervised to be exempted. Another example pertains to multi-directional services where regulatory requirements are primarily triggered by a service to end customers the provision of which involves an ICT service relationship to financial entities. While such services are regulated, they may be considered being regulated primarily with a view to a different service relationship (i.e., the relationship to the end customers).
To conclude, the new Q&A constitutes an important clarification of the scope of DORA’s ICT third-party risk management obligations. However, should financial entities consider relying on the Q&A they should carefully assess its preconditions.
Our DORA experts remain at your disposal should you have any questions with a view to the new Q&A or any other topic related to DORA and its ICT third-party risk management requirements.
