DORA adopts a broad definition of ICT services, covering digital and data services provided through ICT systems on an ongoing basis. Financial entities must assess whether the services they use fall within the scope of Article 3(21) of DORA, considering clarifications in Recital 63 of DORA.

Where regulated financial services entail an ICT component, the financial entity ought to assess whether those services constitute an ICT service under DORA. In case the outcome is positive, then the related ICT service should be considered to predominantly be a financial service. The European Commission clarifies that such regulated financial services could be provided by an EU-regulated financial entity or a third-country one.

However, standalone ICT services provided by financial entities, unrelated to or independent of regulated financial services, fall under DORA’s definition of ICT services. The same approach applies to ancillary services, depending on their connection to financial services.

Financial entities should carefully assess their ICT services under DORA and distinguish them from financial services where applicable. For completeness, while this guidance helps clarify existing rules, only the Court of Justice of the EU has the authority to interpret EU law definitively.

For more information, the Q&A can be found on EIOPA’s official page, here.