Scheda

On 22 January 2025 the ESAs published guidance prepared by the European Commission (Commission) on the definition of ICT services under the Digital Operational Resilience Act (DORA).

In the Q&A guidance published, the Commission confirmed that where such regulated financial services entail an ICT component, they should still be considered financial and not ICT services, and regardless whether the services are provided by an EU-regulated financial entity or a third-country one (“In the case that financial entities provide ICT services to other financial entities in connection to their financial services, the receiving financial entities should assess whether i) the services constitute an ICT service under DORA, and ii) whether the providing financial entities and the financial services they provide are regulated under Union law or any national legislation of a Member State or of a third country. In case both tests are positive, then the related ICT service should be considered to predominantly be a financial service and should not be treated as an ICT service within the meaning of DORA Article 3(21).”)