On 22 January 2025, the European Supervisory Authorities (ESAs) published guidance prepared by the European Commission (Commission) on the definition of ICT services under the Digital Operational Resilience Act (DORA). The guidance was eagerly awaited by the European financial services industry subject to DORA’s requirements, seeking clarity on the distinction between ICT services and financial services.

By way of background, DORA defines ICT services as “digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services”. This definition is intentionally broad, as reflected by the types of ICT services listed in Annex III of Commission Implementing Regulation (EU) 2024/2956 on standard templates for registers of information. This broad definition has caused problems for the industry, as in practice numerous financial services have some ICT components, which could prospectively lead to double-regulation.

In the Q&A guidance published, the Commission confirmed that where such regulated financial services entail an ICT component, they should still be considered financial and not ICT services, and regardless whether the services are provided by an EU-regulated financial entity or a third-country one (“In the case that financial entities provide ICT services to other financial entities in connection to their financial services, the receiving financial entities should assess whether i) the services constitute an ICT service under DORA, and ii) whether the providing financial entities and the financial services they provide are regulated under Union law or any national legislation of a Member State or of a third country. In case both tests are positive, then the related ICT service should be considered to predominantly be a financial service and should not be treated as an ICT service within the meaning of DORA Article 3(21).”). This guidance responds to the industry’s concerns and as such is a positive development.

The guidance further states that services provided by regulated financial entities can be ICT services (all other elements of the definition being met) if they are “unrelated or is independent from such regulated financial services”. The Commission also confirmed that the “same rationale applies to ancillary services provided by an entity, depending on whether such ancillary services are regulated financial services or a service inseparable from, indivisible from, preparatory or necessary for the provision of a regulated financial service, and are not provided in a standalone manner.”