News

European Commission confirms that financial services are not ICT services for DORA purposes

30 January 2025

Firms involved in implementing changes to comply with new rules under the EU Digital Operational Resilience Act (DORA) have questioned whether financial services provided by other regulated firms may fall within the definition of ICT services. ICT services are defined broadly under DORA as “digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services.” DORA makes clear that regulated firms are to be treated as ICT third-party service providers when they provide ICT services to other firms, but there has still been debate as to scope of services that would fall within that definition, given that in practice many financial services are delivered “through ICT systems”.

On 22 January 2025, the European Commission published a Q&A response in which it confirmed that regulated financial services that “entail an ICT component” are not to be treated as ICT services. In addition, services that are “ancillary” to financial services – meaning that they are “inseparable from, indivisible from, preparatory or necessary for the provision of a regulated financial service” and not provided on a standalone basis - are not to be treated as ICT services. The Commission has clarified that standalone ICT services which are unrelated to, or independent from, regulated financial services, are still in scope.

This will be a helpful clarification for firms that provide financial services to other firms, and vice versa. However, it still leaves room for some questions such as:

What degree of separation must there be between the ICT component and the regulated financial services for the ICT component to fall within scope? In many cases, the line will not be clear and case by case analysis will be required; and
What about ICT services that are “ancillary” to other types of services (regulated or not)? This is clearly not addressed in the Q&A and further guidance from the Commission or European Supervisory Authorities would be needed before assuming that any exemption applies.

DORA came into effect on 17 January 2025 but work on DORA implementation is an ongoing process and further clarifications would undoubtedly be welcomed by regulated firms and impacted ICT providers.

Authored by Louise Crawford.

If you have any questions, please get in touch with our Operational Resilience team and for further resources, please visit our Operational Resilience Hub.