From 17 January 2025, companies will be required to comply with the new requirements introduced by DORA. This regulation specifically addresses the challenges of digital transformation and increasing interconnectedness in the financial industry. In this context, DORA aims to minimize risks such as cyberattacks and operational disruptions. Financial institutions and their ICT service providers must take comprehensive measures to improve their digital resilience and thereby promote the security and stability of the entire industry. DORA is an extremely complex set of rules. The regulation comprises 64 articles, which are supplemented by a series of Regulatory Technical Standards (so-called RTS). The RTS are intended to create uniform standards throughout the EU, so that all affected financial institutions throughout the Union must meet the same requirements. RTS specify and clarify the general requirements of DORA. They are being developed jointly by the relevant European Supervisory Authorities (ESA), EBA, EIOPA and ESMA. Even though many of these RTS have now been published or are available as drafts, DORA still raises a number of questions of interpretation. This is particularly precarious as the time until DORA comes into force is getting shorter and shorter and the affected companies need to prepare for the regulation. One of these questions concerns the applicability of DORA to a financial company that provides services for another financial company. When can we assume that this is an ICT service that makes the providing financial company an ICT third-party service provider within the meaning of DORA? Do the requirements of DORA now also have to be met between two companies that are already regulated by the supervisory authorities? This question has significant consequences, since classifying a financial company as an ICT third-party service provider would, among other things, have far-reaching consequences for the contractual relationship between the ICT third-party service provider financial company and the client financial company.
Unclear Provisions in DORA Regarding the Term ICT Third-Party Service Provider
DORA defines ICT third-party service providers as companies that provide ICT services. In addition, recital 63 states that financial institutions that provide ICT services to other financial institutions should also be considered ICT third-party service providers under the regulation. Thus, it is clear that financial institutions can in principle also be ICT third-party service providers if they provide ICT services to other financial institutions. According to the DORA, third-party ICT services are digital and data services that are provided on a permanent basis to one or more internal or external users via ICT systems, including hardware as a service and hardware services, which also includes technical support provided by the hardware provider by means of software or firmware updates, with the exception of traditional analog telephone services. This definition is, as intended by the regulator, very broad. This is clarified in recital 35 of the DORA, which emphasizes that it is intended to address all risks arising from all types of ICT services. To this end, the definition of ICT services in the context of DORA should be interpreted broadly to include digital services and data services provided on an ongoing basis to one or more internal or external users via ICT systems. Furthermore, recital 79 mentions examples of ICT services as the use of cloud computing services, software solutions and data-related services. Assuming that a financial company regulated under MiFID II or MICAR provides a regulated financial service to another financial company and makes the financial service available to it on a permanent and digital basis, this raises the question of whether the requirements of DORA would have to be met in addition to the existing requirements for the financial service. The definition would readily allow for such a view, which would mean increased bureaucracy and additional costs for financial companies – all for the benefit of the digital operational resilience of the financial market. However, it remains questionable whether traditional financial services should automatically be classified as ICT third-party service providers just because they are provided digitally.
The Industry Calls for Binding Clarification
In their FAQ as part of the “DORA 2024 Dry Run Exercise on Reporting of Registers of Information”, the ESAs comment on the interpretation of ICT services to the effect that if a financial entity requires authorization, licensing or registration as a financial entity to provide a service, then that service is a regulated financial service and not an ICT service for the purposes of DORA. This interpretation would make it possible to exclude purely financial services that are not traditional cloud computing services, software solutions or data-related services from the scope of the DORA. On October 1, 2024, the trade and interest associations FIA, AFME, EACH, ECSDA and FESE issued a joint statement on this topic in which they call on the ESAs to adhere to the view from the Dry Run for the upcoming DORA and to determine as quickly as possible that financial services should not be treated as ICT services for the purposes of the DORA. They also call for clarification that regulated financial services include all services and activities subject to the supervision of a financial services regulator, including any ancillary or delegated services. This call is to be welcomed. Clarification is urgently needed to create legal certainty in the implementation of DORA. Regulated financial firms are already subject to extensive obligations and meticulous supervision with regard to their supervised business activities. Any application of DORA going beyond this would mean additional work and expense, with only a negligible added value in terms of financial market security. However, it remains to be seen how the ESAs will position themselves.
Attorney Anton Schröder
The lawyer responsible for questions relating to DORA and IT law at our law firm is Attorney Lutz Auffenberg LL.M. (London) with assistance of Attorney Anton Schröder.
subscribe to Newsletter-
Book Launch Party for the Crypto Assets MiCAR Commentary in Vienna
Attorney Lutz Auffenberg, LL.M. (London) at the book launch party for the commentary work “Crypto Assets”. -
Attorney Lutz Auffenberg, LL.M. (London) has Once Again been Awarded
Lexology, the renowned online portal specializing in the evaluation and recommendation of lawyers, has included our founding partner, Attorney Lutz Auffenberg, LL.M.(London), as one of the leading experts in Germany in its Lexology Index: Fintech & Blockchain (formerly known as Who’s Who Legal). -
Attorney Anja von Rosenstiel Contributes Chapter to MiCAR Handbook
Attorney Anja von Rosenstiel, LL.M. (Boston University), M.A. (Viadrina) and of counsel at FIN LAW, has provided a comparative legal analysis of the MiCAR with US regulations in the handbook MiCAR, edited by Johannes Meier, which is expected to be published in February 2025.
