Skip to content

Compliance

EU must exempt firms from DORA’s ICT definitions

By 0 minute read

January 10, 2025

European Union financial services trade bodies have jointly called on the EU Commission to exempt firms from its definitions of information and communications technology (ICT) services under the Digital Operational Resilience Act (DORA) regulations.

The trade bodies are concerned the ICT services definitions capture financial services firms as critical ICT providers — thus imposing an additional compliance burden on them. They point out the definitionsʼ “potential impacts to implementation and compliance, supervision and oversight, and broader anti-competitive impacts to the market”.

“We strongly urge the commission to clarify that financial services provided by EU and non-EU firms to financial entities are not considered ‘ICT services’ under DORA [in upcoming guidance],” the Association for Financial Markets in Europe (AFME), the European Association of CCP Clearing Houses (EACH), the Federation of European Securities Exchanges (FESE), and the futures industry’s FIA said in a position paper.

The trade bodies want the commission to “adopt an expansive approach to any exemption granted to regulated financial services that includes encompassing non-EU regulated financial services” in its upcoming guidance.

Broad definition

The commission published the final version of the implementing technical standards (ITS) for standard templates for the DORA registers of information on December 2, with an April 30 deadline for the first submissions of information on firms’ ICT providers.

The register of information will enable the European Supervisory Authorities (ESAs) to identify critical third parties who will be subject to supervision. A reporting dry run held in August 2024 last month outlined the common mistakes made by firms, most of which featured missing identifier data.

“The final wording of the ITS essentially reflects the European Banking Authority’s (EBA) earlier stance, adopting a surprisingly broad interpretation of ICT services. This includes services that are not digital services, data services or delivered over an ICT network,” said Katalin Horváth, a partner at law firm CMS in Budapest.

For example, the ITS includes ICT project management, platform-as-a-service and software-as-a-service, ICT risk management under DORA and ICT operation management, in addition to many other categories listed in Annex III‘s definitions of ICT services.

“Based on the published ITS, it will be necessary to review previously completed registrations and reclassify ICT services, with particular attention to services not previously considered ICT services by financial entities,” said Horváth. “ICT third-party service providers should anticipate a larger volume of requests to enter into additional contractual agreements with financial entities in order to achieve DORA compliance.”

Trade bodies suggestion

Trade bodies have suggested three areas that the commission should consider exempting: digital-backed financial services; third-country digital-backed financial services; and ancillary services, such as regulatory reporting, middle office, trading venues and helpdesks.

“Excluding such services from DORA’s scope would be consistent with the spirit and policy intent of DORA, which is to address the growing reliance of the EU financial sector on ICT third-party services providers — such as providers of cloud computing services, software solutions, data-related services and others — and not to create a duplicative regulatory overlay for financial firms already subject to the most stringent oversight and controls both inside and outside the EU,” they said in the position paper.