Data Protection lawyers with 50+ years of experience

Free initial consultation
/insights

Updated Thursday, November 28, 2024

Updated Thursday, November 28, 2024

How to implement DORA in your company (Part 3): Who is considered an ICT third-party service provider under DORA?

A number of implementation measures will be required for ICT third-party providers when the DORA becomes applicable from January 17, 2025. For many companies, the question therefore arises as to whether they are considered a "ICT third-party provider" and what the consequences of this classification are.

Leon Neumann

Scientific Research Assistant

Boris Arendt

Salary Partner (Attorney-at-law)

Steffen Groß

Partner (Attorney-at-law)

Concept of the ICT third-party service provider
Services to support critical and important functions
Specification of the legal requirements in RTS and ITS
Procedure

Get assistance from our lawyers

Data Protection compliance can be complicated. Let our experienced team simplify it for you.

Free initial consultation

With DORA, the European legislator is pursuing the goal of strengthening the resilience of the financial sector with the help of uniform regulations for the use of information and communication technologies (ICT). In Part 1, we presented the scope of application and the main regulatory content of the regulation. Part 2 focuses on the requirements for contracts between regulated financial and insurance companies and ICT third-party service providers.

In this article, we clarify the practically relevant question of who exactly qualifies as an ICT third-party service provider. This is because financial companies affected by the Regulation tend to impose extensive contractual adjustments on all types of technical service providers in order to comply with their obligations under Art. 28 et seq. DORA. Whether this is necessary in individual cases and which clauses go beyond the statutory minimum requirements depends on whether an "ICT service" is actually used and, if so, whether it is an ICT service to support critical and important functions.


Concept of the ICT third-party service provider

1. Interpretation of the definition

Since ICT third-party service providers (= ICT providers) are only defined as companies that offer ICT services (Art. 3 No. 19 DORA), the legal definition of “ICT services” is important. According to Art. 3 No. 21 DORA, this term covers "digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services".

ICT stands for information and communication technology (see Art. 1 lit. a DORA). The EU Commission in turn defines this term as "all technical means used to handle information and aid communication, including both computer and network hardware, as well as their software".

The legal definition of ICT services is therefore extremely broad and covers practically the majority of all IT-based services, such as cloud and software services. The question therefore arises as to whether service providers who merely provide subordinate services that are not related to the financial or insurance activities of their contractual partner also fall within the scope of the DORA. At first glance, it seems incomprehensible that, for example, the provider of a digital service for the management of employee benefits is also subject to the stricter contractual requirements under Art. 28 et seq. DORA as soon as the contractual partner is a financial company. The term could therefore be interpreted restrictively.

However, it would be contrary to the purpose of DORA to ensure comprehensive protection against risks associated with all types of ICT services in the financial or insurance sector (see recital 35) if subordinate services were excluded per se from the scope of application, as this type of service can also entail security-relevant risks in individual cases. This is because even those services that are not directly related to the financial activities of the client are inevitably part of the client's business processes and serve - even if only indirectly - the business activity. If security risks arise in the context of the use of the service, these pose an increased risk solely due to the nature of the client as a financial or insurance company, which justifies the application of DORA.

The fact that some services are particularly "financially related" or important for the performance of the financial company's business activities and therefore their use entails particular risks is taken into account by the legislator in that it places special requirements on ICT services supporting critical or important functions. A restriction of the wording in the above sense would mean that there would hardly be any scope for "non-critical" services. This is because services that support critical and important functions are precisely those services that are essential for the execution and security of the business activities pursued or services offered by the financial institution (see Art. 3 no. 22 DORA), which in principle applies to all those services that would only fall within the scope of the regulation after the restriction under consideration. Thus, the term "ICT service provider" is to be understood as broadly as the wording suggests.

2. Examples of ICT service providers

Positive examples: The DORA itself describes "cloud computing services, software solutions and data-related services" as ICT services by way of example (recital 79). In practice, this includes, for example, software as a service (SaaS), data analysis services, business intelligence, backup and disaster recovery, helpdesk and technical support and storage solutions.

Negative examples: However, non-technical services such as cleaning services, catering or delivery and courier services are not included. Traditional analogue telephone services, which are considered PSTN or POTS services or fixed-line telephone services, are also explicitly excluded.


Services to support critical and important functions

1. What are critical and important functions?

According to Art. 3 No. 22 DORA, a critical or important function is "a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law".

The definition is therefore based on the importance of the service for the financial stability, business continuity or regulatory compliance of the financial institution. As the classification therefore depends largely on the financial institution in question, the institution itself assesses (often in the form of a business impact analysis) whether a service procured from a third-party service provider supports an important and critical function. Therefore, from the perspective of the third-party service provider, it cannot be claimed per se that it does not support critical functions under any circumstances. However, there will be clear tendencies depending on the type of service.

According to the above definition, the following service providers, for example, are likely to support critical functions: payment processing systems, online banking platforms, credit risk and credit assessment services, cybersecurity systems, data backup and recovery services.

Note: The question of whether the ICT third-party service provider is a "critical ICT third-party service provider" within the meaning of Art. 31 DORA must be distinguished from what has been said so far. Such critical ICT third-party service providers are subject to a European supervisory framework and thus to special supervision by a lead European supervisory authority (either EBA, ESMA or EIOPA - depending on the sector for which the ICT third-party service provider is primarily active). The assessment of whether a company is a "critical" third-party service provider is not carried out by the company itself, but by the "ESAs" (European Supervisory Authorities), i.e. the aforementioned "European Supervisory Authorities".

2. What are the resulting requirements?

The assessment of whether the service serves to support critical and important functions is decisive for the minimum contractual requirements that DORA places on service contracts between financial institutions and third-party ICT service providers. The extra content that applies to the support of critical and important functions has already been discussed in Part 2.

As a result, DORA does not place excessively high contractual requirements on "normal" service providers, especially as the minimum contractual content to be agreed is often already required under other regulations such as the GDPR. Nevertheless, existing contracts should always be reviewed and, if necessary, adapted with DORA-compliant amendments. For ICT service providers supporting critical and important functions, on the other hand, the requirements are quite far-reaching and strict, as can be seen, for example, in the supervisory and audit rights of the financial company to be agreed, which is why a not inconsiderable implementation effort is to be expected here.



Procedure

Service providers of financial institutions should familiarize themselves with the minimum contractual content required under the DORA in order to avoid having clauses imposed by overly cautious financial institutions when concluding service contracts that are not necessary. It is therefore particularly important to assess whether the service offered can be used to support important and critical functions and, if so, when this is the case. This is because the effort required to comply with DORA depends largely on this assessment.

In addition, existing service contracts should be checked for compliance (gap analysis). With the applicability of the regulation from January 17, 2025, there is not much time left to ensure compliance. As the implementation effort may be more than minimal, ICT third-party service providers are urged to start implementation in good time in order to ensure long-term cooperation with financial and insurance companies.


Legal advice

Simpliant Legal - Wittig, Bressner, Groß Rechtsanwälte Partnerschaftsgesellschaft mbB

Consulting

Simpliant GmbH

Technology

Simpliant Technologies GmbH

Data protection

We will support you in implementing all data protection requirements with the GDPR.

Information security

We support you in setting up a holistic ISMS such as ISO 27001.

Artificial intelligence

We advise you on the integration of AI and develop legally compliant usage concepts.


© 2019 - 2024 Simpliant