How to implement DORA in your company (Part 3): Who is considered an ICT third-party service provider under DORA?

1. Interpretation of the definition

Since ICT third-party service providers (= ICT providers) are only defined as companies that offer ICT services (Art. 3 No. 19 DORA), the legal definition of “ICT services” is important. According to Art. 3 No. 21 DORA, this term covers "digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services".

ICT stands for information and communication technology (see Art. 1 lit. a DORA). The EU Commission in turn defines this term as "all technical means used to handle information and aid communication, including both computer and network hardware, as well as their software".

The legal definition of ICT services is therefore extremely broad and covers practically the majority of all IT-based services, such as cloud and software services. The question therefore arises as to whether service providers who merely provide subordinate services that are not related to the financial or insurance activities of their contractual partner also fall within the scope of the DORA. At first glance, it seems incomprehensible that, for example, the provider of a digital service for the management of employee benefits is also subject to the stricter contractual requirements under Art. 28 et seq. DORA as soon as the contractual partner is a financial company. The term could therefore be interpreted restrictively.

However, it would be contrary to the purpose of DORA to ensure comprehensive protection against risks associated with all types of ICT services in the financial or insurance sector (see recital 35) if subordinate services were excluded per se from the scope of application, as this type of service can also entail security-relevant risks in individual cases. This is because even those services that are not directly related to the financial activities of the client are inevitably part of the client's business processes and serve - even if only indirectly - the business activity. If security risks arise in the context of the use of the service, these pose an increased risk solely due to the nature of the client as a financial or insurance company, which justifies the application of DORA.

The fact that some services are particularly "financially related" or important for the performance of the financial company's business activities and therefore their use entails particular risks is taken into account by the legislator in that it places special requirements on ICT services supporting critical or important functions. A restriction of the wording in the above sense would mean that there would hardly be any scope for "non-critical" services. This is because services that support critical and important functions are precisely those services that are essential for the execution and security of the business activities pursued or services offered by the financial institution (see Art. 3 no. 22 DORA), which in principle applies to all those services that would only fall within the scope of the regulation after the restriction under consideration. Thus, the term "ICT service provider" is to be understood as broadly as the wording suggests.

2. Examples of ICT service providers

Positive examples: The DORA itself describes "cloud computing services, software solutions and data-related services" as ICT services by way of example (recital 79). In practice, this includes, for example, software as a service (SaaS), data analysis services, business intelligence, backup and disaster recovery, helpdesk and technical support and storage solutions.

Negative examples: However, non-technical services such as cleaning services, catering or delivery and courier services are not included. Traditional analogue telephone services, which are considered PSTN or POTS services or fixed-line telephone services, are also explicitly excluded.

1. What are critical and important functions?

According to Art. 3 No. 22 DORA, a critical or important function is "a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law".

The definition is therefore based on the importance of the service for the financial stability, business continuity or regulatory compliance of the financial institution. As the classification therefore depends largely on the financial institution in question, the institution itself assesses (often in the form of a business impact analysis) whether a service procured from a third-party service provider supports an important and critical function. Therefore, from the perspective of the third-party service provider, it cannot be claimed per se that it does not support critical functions under any circumstances. However, there will be clear tendencies depending on the type of service.

According to the above definition, the following service providers, for example, are likely to support critical functions: payment processing systems, online banking platforms, credit risk and credit assessment services, cybersecurity systems, data backup and recovery services.

Note: The question of whether the ICT third-party service provider is a "critical ICT third-party service provider" within the meaning of Art. 31 DORA must be distinguished from what has been said so far. Such critical ICT third-party service providers are subject to a European supervisory framework and thus to special supervision by a lead European supervisory authority (either EBA, ESMA or EIOPA - depending on the sector for which the ICT third-party service provider is primarily active). The assessment of whether a company is a "critical" third-party service provider is not carried out by the company itself, but by the "ESAs" (European Supervisory Authorities), i.e. the aforementioned "European Supervisory Authorities".

2. What are the resulting requirements?

The assessment of whether the service serves to support critical and important functions is decisive for the minimum contractual requirements that DORA places on service contracts between financial institutions and third-party ICT service providers. The extra content that applies to the support of critical and important functions has already been discussed in Part 2.

As a result, DORA does not place excessively high contractual requirements on "normal" service providers, especially as the minimum contractual content to be agreed is often already required under other regulations such as the GDPR. Nevertheless, existing contracts should always be reviewed and, if necessary, adapted with DORA-compliant amendments. For ICT service providers supporting critical and important functions, on the other hand, the requirements are quite far-reaching and strict, as can be seen, for example, in the supervisory and audit rights of the financial company to be agreed, which is why a not inconsiderable implementation effort is to be expected here.

Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) are intended to facilitate the implementation of the DORA requirements by providing practical implementation instructions and concrete assistance for the companies concerned. The above-mentioned European Supervisory Authorities (EPA) are responsible for drawing up and issuing the standards. The legal basis for issuing such regulations can be found in Art. 57 DORA.

To date, many different RTS have been issued in two packages (the first in March 2024 and the second in July 2024), which specify a wide variety of DORA standards. The following RTS are particularly relevant in connection with the use of third-party ICT service providers.

• RTS on contractual agreements with ICT third-party service providers (pursuant to Art. 28 para. 10 DORA), which provide financial companies with clear guidance on the requirements that apply to contracts and agreements with third-party providers, particularly where outsourced ICT services support critical or essential functions
• RTS on the information register (pursuant to Art. 28 para. 9 DORA), which contain templates for an ICT outsourcing register that must be kept by financial companies with regard to contracts with third-party ICT providers
• RTS on the subcontracting of ICT third-party service providers (pursuant to Art. 30 para. 5 DORA), which set specific and independent requirements for the contractual conditions regarding the subcontracting of ICT third-party service providers

Service providers of financial institutions should familiarize themselves with the minimum contractual content required under the DORA in order to avoid having clauses imposed by overly cautious financial institutions when concluding service contracts that are not necessary. It is therefore particularly important to assess whether the service offered can be used to support important and critical functions and, if so, when this is the case. This is because the effort required to comply with DORA depends largely on this assessment.

In addition, existing service contracts should be checked for compliance (gap analysis). With the applicability of the regulation from January 17, 2025, there is not much time left to ensure compliance. As the implementation effort may be more than minimal, ICT third-party service providers are urged to start implementation in good time in order to ensure long-term cooperation with financial and insurance companies.