FESE note

FESE note on the scope of ICT services under DORA

Cybersecurity | 16 Sep 24

FESE members are currently intensely implementing the obligations prescribed by DORA and have appreciated the recent rollout of a dry-run exercise organised by the ESAs on the registers for information (here). In this context, it became apparent both to financial market participants and the European Supervisory Authorities (ESAs) that clarification on key concepts under DORA is needed to ensure effective implementation and a smooth transition towards the application date.

Given the current uncertainty on the definition of ICT services under DORA, FESE urges the European Commission and the ESAs to provide clear criteria for defining the scope of the ICT services, with the key suggestions outlined below.

  • FESE urges the ESAs to clarify in a formally adopted Q&A document that regulated financial services are not ICT services under DORA (as previously stated in Q74/75 in the ESAs dry-run exercise FAQs). FESE also suggests excluding from the scope of DORA activities undertaken by financial entities to support the regulated financial services.
  • FESE underlines the need for clear criteria to define the scope of ICT services listed in Annex III of the draft ITS on the standard templates for the register of information (here) to ensure that DORA captures only relevant ICT services.
  • Non-regulated services of financial entities should fall under the definition of ICT services only if the ICT component is the main characteristic of the provided services (i.e. limited to the provision of an IT service).
  • It is necessary to provide guidance on how financial entities can assess on a case-by-case basis whether the ICT services they receive support critical or important functions for the purposes of Article 29 of DORA.
  • FESE welcomes supervisory guidance regarding the exercise of access, inspection, and audit rights between financial entities as specified in Article 30(3)(e) of DORA.