2024_7200 Are trust services under the scope of DORA, whatever the nature of the services

Question ID: 2024_7200
Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
Topic: ICT third-party risk management
Article: 3
Paragraph: 21-22
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations: Not applicable
Article/Paragraph: 3. 21)-22)
Name of institution / submitter: Signaturit
Country of incorporation / residence: Spain
Type of submitter: Other
Subject matter: Are trust services under the scope of DORA, whatever the nature of the services
Question: Financial institutions (EEFFs) subject to the DORA Regulation understand that Trust services, whatever they are, are “ICT services” and therefore their providers (Trust Service Providers / TSPs) are included in the scope of the DORA Regulation. However, these Trust services do not always constitute or are part of an essential or important function for the operation of such entities, but serve for auxiliary or internal functions of the entities.

Let's take the case of an electronic signature certificate used by a representative to sign contracts with suppliers or internal legal documents: is it essential for the continued operation of a bank, and would the suspension of the service significantly affect the authorized activity of the entity?

Another example: could the use of a platform that allows the remote management of electronic notifications sent to EEFFs by public administrations thanks to connectors that allow the entity to be identified with electronic certificates be considered essential for the EEFFs' operations? It is really a tool that facilitates the administrative procedures of the entity and is not part of the services it provides to its customers.
Background on the question: Financial Entities are applying DORA without any criteria considering exclusivelly the fact that the provider is provinding "Digital services". It is a huge problem for little providers as TSP that are providing for example one single electronic certificate.

On the other part, DORA doesn't realy take into consideration the own regulation of TSP (eIDAS, NIS2) in order to avoid duplicate and triplicate homologation and control.
Submission date: 16/09/2024
Rejected publishing date: 19/02/2025
Rationale for rejection: This question has been rejected because the question is not sufficiently clear or has not sufficiently identified a provision of a legal framework covered by this tool that creates uncertainty and for which an explanation is merited in terms or practical implementation or application.
The Single Rule Book Q&A tool has been established to provide explanations and non-binding interpretations on questions relating to the practical application or implementation of the provisions of legislative acts referred to in Article 1(2) of the EBA’s founding Regulation, as well as associated delegated and implementing acts, and guidelines and recommendations, adopted under these legislative acts.
For further information on the purpose of this tool and on how to submit questions, please see “Additional background and guidance for asking questions”.
Status: Rejected question

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre