Your DORA questions answered – ICT services in scope

This second of a series of six articles covering a practical session organised by Ashurst focuses on the ICT services in scope of DORA.

The specialist team at Ashurst organised a helpful follow-up to their successful initial session on DORA. The number of questions from attendees of the first webinar was the primary motivation for organising a session focusing specifically on answers to practical questions posed by those attending.

A theme apparent throughout the session was that, with the January 2025 DORA compliance deadline fast approaching, key aspects of the DORA regime – including the technical standards (RTSs) – remain incomplete. As a result much of the advice even from experts remains couched in conditional language. The team was very sympathetic to the pent-up frustration from those who will be responsible for ensuring their institutions are DORA-compliant apparent in both the number as well as the tenor of the questions posed.

We have tried to summarize the Ashurst team’s answers to each of the questions tackled during the session. The Ashurst team very helpfully organized the questions into broad thematic categories that are reflected in a series of bite-size articles.

4.ICT third party contracts
5.Business resilience
6.Extraterritoriality and existing rules

A list of the Ashurst specialists contributing is included below. Any errors or omissions are those of the GRIP team.

The information below does not and is not intended to constitute legal advice and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances. It is not intended to be relied upon in the making (or refraining from making) any specific decisions.

Is there guidance on identifying the services to be captured under the broad definition of “ICT services”? How can firms take a proportional approach to ensure they are not capturing every service that has an IT element?

The definition is broad and is probably intentionally so. Under the definition ICT services are everything that includes a technology element. And the principle of proportionality probably does not apply here.

This is underscored by Recital 35 which clarifies that: the definition of ICT services should be “understood in a broad manner … should, for instance, include so called ‘over the top’ services, which fall within the category of electronic communications services” and that the definition should “exclude only the limited category of traditional analogue telephone services“.

However, when building a risk management framework it is important to understand which of the services will have a material impact on being able to provide services. The preliminary stage is when such a determination should be made because otherwise much time and effort can be wasted on work that proves to be unnecessary.

It is important to note in this context that differing levels of assurance are required depending on how material the services the third party provides are to a financial entity’s ability to provide services itself.  

Is there any guidance on defining “ongoing basis” within the definition of ICT services?

There is no further or specific guidance in DORA and firms should adopt a practical approach looking at the specifics of each service and third party.

The EBA guidelines are helpful in this context, and describe the equivalent concept as “recurrent and ongoing”.

Would DORA apply to our arrangements with a reseller, even where the firm does not have a direct relationship with the ICT third-party service provider, for example the firm conducts its procurement of ICT services through a reseller?

DORA would almost certainly apply in such a scenario despite the fact that no contractual relationship with the third-party ICT service provider exists.

Where a reseller is being utilized to procure services a firm is under an obligation to ensure that the reseller’s procurement of those services contractually leads to the same outcome as would have existed had those services been provided directly by the third party.

GRIP Comment

This is an interesting practical question and one that many firms that have attempted to simplify their procurement of ICT services will be grappling with. As suggested by the Ashurst team, the intermediation by a reseller does not mean that the financial entity can abrogate its obligation to comply with DORA.

Here at GRIP we have been debating what this might mean in terms of practical outcomes and we think that much will depend on the relationship between financial entity and reseller as well as the reseller’s own position on how to deal with the implications of DORA. It is entirely possible, for example, that some resellers may see helping a financial entity to meet its DORA obligations as part of the value add service they offer.

However, even where a reseller is willing to help it is essential to recognize that it is the financial entity who is ultimately responsible for ensuring compliance. Unfortunately this means much closer scrutiny and oversight of the third-party ICT service providers themselves. The consequence of this is, of course, potentially significant additional due diligence and audit work.