Given that:

1. according to Recital no. 63 of the DORA Regulation “in light of the evolving payment services market becoming increasingly dependent on complex technical solutions, and in view of emerging types of payment services and payment-related solutions, participants in the payment services ecosystem, providing payment-processing activities, or operating payment infrastructures, should also be considered to be ICT third-party service providers under this Regulation, with the exception of central banks when operating payment or securities settlement systems, and public authorities when providing ICT related services in the context of fulfilling State functions”;

2. according to Recital no. 78 of the DORA Regulation “financial entities providing ICT services to other financial entities, while belonging to the category of ICT third-party service providers under this Regulation, should also be exempted from the Oversight Framework since they are already subject to supervisory mechanisms established by the relevant Union financial services law”;

3. the European Banking Authority, within the Q&As on ESAs 2024 DORA Dry Run exercise on reporting of the registers of information (version dated 4 July 2024), upon question on “What types of third-party provider should be considered ICT third-party providers?” (Q&A no. 74) answered that “The definition of ‘ICT services’ in Article 3(21) of Regulation (EU) 2022/2554 intentionally maintains a broad scope. Recital (35) of Regulation (EU) 2022/2554 indeed clarifies that, with the aim of maintaining a high level of digital operational resilience, the definition of ICT services should be understood in a broad manner to the extent such services encompass digital and data services provided through ICT systems on an ongoing basis. Therefore, financial entities are responsible for undertaking such assessment for the services they rely on. Such assessment should be performed taking into account the clarification from DORA Recital (63), and without prejudice to sectoral regulations applicable on financial regulated services: in case a financial entity must be authorised/licenced/registered as financial entity to deliver a service, such service is therefore a regulated financial service and not an ICT service in the meaning of DORA Article 3(21)”; and

4. in the subsequent version of the Q&As, dated 29 July 2024, the European Banking Authority changed its answer to the same question, specifying that “Given the number of questions received on the interpretation of ICT services and ICT service providers received from stakeholders requiring a legal interpretation, in order to provide legal certainty, the ESAs having liaised with the European Commission have agreed to respond to these questions via a formal Q&As in due course. For the time being, the financial entities are invited to register their contracts on a best effort basis taking into account that the Register of Information is also an ICT third-party risk management tool”,

financial entities are hardly bringing their contracts with supervised ICT suppliers into line with DORA’s requirements, since such supervised financial entities claim not to fall under the definition of ICT third-party service providers. Please consider that we posted such question to the Bank of Italy, which responded to ask EBA.