Several ICT service providers, who are already subject to supervision as financial entities, claim that they do not fall under the definition of third-party ICT service providers contained in DORA for the simple reason that they are already subject to financial service or, more broadly, banking supervision. On the basis of this position, they are not willing to comply with the requirements set out in Article 30 of the Regulation (EU) 2022/2554.

We have unsuccessfully rejected this position on the basis that DORA does not provide an exception for them given that:

- the Recital no. 63 of the Regulation (EU) 2022/2554 states “in light of the evolving payment services market becoming increasingly dependent on complex technical solutions, and in view of emerging types of payment services and payment-related solutions, participants in the payment services ecosystem, providing payment-processing activities, or operating payment infrastructures, should also be considered to be ICT third-party service providers under this Regulation, with the exception of central banks when operating payment or securities settlement systems, and public authorities when providing ICT related services in the context of fulfilling State functions”; 

- according to Recital no. 78 of the Regulation (EU) 2022/2554 “financial entities providing ICT services to other financial entities, while belonging to the category of ICT third-party service providers under this Regulation, should also be exempted from the Oversight Framework since they are already subject to supervisory mechanisms established by the relevant Union financial services law”;

- EBA, within the Q&As on ESAs 2024 DORA Dry Run exercise on reporting of the registers of information (version dated 4 July 2024), in relation to the question on “What types of third-party provider should be considered ICT third-party providers?” (Q&A no. 74) replied that “The definition of ‘ICT services’ in Article 3(21) of Regulation (EU) 2022/2554 intentionally maintains a broad scope. Recital (35) of Regulation (EU) 2022/2554 indeed clarifies that, with the aim of maintaining a high level of digital operational resilience, the definition of ICT services should be understood in a broad manner to the extent such services encompass digital and data services provided through ICT systems on an ongoing basis. Therefore, financial entities are responsible for undertaking such assessment for the services they rely on. Such assessment should be performed taking into account the clarification from DORA Recital (63), and without prejudice to sectoral regulations applicable on financial regulated services: in case a financial entity must be authorised/licenced/registered as financial entity to deliver a service, such service is therefore a regulated financial service and not an ICT service in the meaning of DORA Article 3(21)”; and

- in last version of the Q&As (29 July 2024), EBA amended that question, specifying that “Given the number of questions received on the interpretation of ICT services and ICT service providers received from stakeholders requiring a legal interpretation, in order to provide legal certainty, the ESAs having liaised with the European Commission have agreed to respond to these questions via a formal Q&As in due course. For the time being, the financial entities are invited to register their contracts on a best effort basis taking into account that the Register of Information is also an ICT third-party risk management tool”.