News on Financial Entities as ICT Third-Party Service Providers and on Subcontracting under DORA

The EU Regulation 2022/2554 (DORA) has come into force and financial firms must comply with the new requirements. The regulation focuses on addressing the challenges posed by digital transformation and growing interconnectedness in the financial industry, which will intensify in the future. DORA aims to further reduce risks arising from cyber-attacks and business interruptions, for example. Specific obligations that DORA places on financial entities are complex. The bureaucratic burden that DORA places on financial entities should not be underestimated. At the same time, however, DORA helps to promote appropriate minimum standards in the area of digital operational resilience. DORA is supplemented by regulatory technical standards (so-called RTS), which are regularly drafted by the ESAs (EBA, EIOPA and ESMA) in cooperation with the national supervisory authorities and adopted by the Commission in accordance with the relevant requirements. Most RTS have already entered into force in this way. The RTS are intended to provide financial entities with specific guidelines on how the requirements of the DORA are to be understood and implemented in the areas regulated by the RTS. Although DORA and almost all RTS are already applicable, there is still some uncertainty regarding the interpretation of DORA in individual cases. EIOPA has now provided interpretation notes via the ESA’s joint Q&A on one of the major questions concerning DORA – namely, when a financial entity is to be classified as an ICT third-party service provider in relation to other financial entities. There is also uncertainty regarding the outsourcing by ICT third-party service providers of critical or important functions or significant parts thereof to subcontractors. The draft RTS on this from the ESA is still at the drafting stage despite the fact that the DORA has already come into force, and now the Commission has announced its intention to partially reject the draft. The following comments address these issues surrounding DORA.

Clarification: When Financial Entities May Be Qualified as Third-party ICT Service Providers

One of the most pressing questions for many financial companies is whether DORA applies when a financial entity provides digital services to another financial entity. At what point are the services between financial entities classified as ICT services? If the services are ICT services within the meaning of DORA, a financial entity can also be considered an ICT third-party service provider within the meaning of DORA. This is explicitly clarified in recital 63 of the DORA. On behalf of the ESAs, EIOPA is now providing legal practitioners with an interpretative guide. In EIOPA’s view, financial services may also include an ICT component. If financial entities provide ICT services to other financial entities in connection with their financial services, the financial entity receiving the ICT services should check whether, firstly, the services constitute an ICT service as defined by DORA and, secondly, whether the financial entity providing the services and the financial services it offers are regulated under EU law or the national law of a member state or a third country. Should both tests be passed, the ICT service in question should be considered predominantly a financial service and not an ICT service within the meaning of Article 3 subsection 21 DORA. If the service is provided by a regulated financial entity offering regulated financial services, but the service is unrelated or independent of such regulated financial services, the service should be considered an ICT service for the purposes of Article 3 subsection 21 DORA. This interpretation is to be endorsed as it is in line with the objectives of the DORA, is consistent with the guiding principles of recital 79 and avoids additional red tape in the area of ICT third-party risk management between financial entities, each of which is already subject to the requirements of the DORA.

Further Uncertainty Regarding RTS on Subcontracting

On January 21, 2025, the European Commission rejected the draft regulatory technical standards (RTS) related to subcontracting of ICT services supporting critical or important functions. These RTS are urgently needed, among other things, so that financial entities know how far-reaching contractual agreements with third-party ICT service providers need to be with regard to subcontracting. The Commission considers that the requirements in Article 5 of the draft RTS go beyond the powers granted to the ESAs by Article 30 subsection 5 DORA. In particular, it concerns the conditions for monitoring the chain of ICT subcontractors that are not specifically linked to the conditions for subcontracting. The Commission is asking for the removal of Article 5 and associated Recital 5 from the draft RTS to ensure that the draft is consistent with the mandate. The corresponding article will therefore no longer be part of the rules to be observed by financial entities. Unfortunately, this also delays the binding adoption of the RTS, and financial entities are still only able to work with the draft. At least the Commission is only proposing editorial changes that are intended to improve the quality of the legal act without affecting the substance of the act. The ESAs have six weeks to revise the draft based on the proposed amendments by the Commission and resubmit it. If the ESAs do not amend the draft in line with the Commission’s suggestions or do not submit a revised draft within this period, the Commission may adopt the RTS with the amendments it has proposed or reject them altogether. It is therefore clear that more legal certainty will probably soon prevail. Until then, financial entities should use the existing draft and refrain from the requirements in Article 5 of the RTS.

Attorney Anton Schröder