EU’s final ITS version extends the scope of ICT services subject to DORA

On 2 December 2024, the final version of implementing technical standards (ITS) on standard templates for the register of information was published as Commission Implementing Regulation 2024/2956 in the Official Journal of the European Union. The ITS extends the scope of information and communication technology (ICT) services under Regulation (EU) 2022/2554 on digital operational resilience (DORA), leading to additional compliance tasks for both financial entities and ICT third-party service providers. The following article provides an analysis of this regulation.

Definition of ICT services under DORA

The practical interpretation of the definition of ICT services under DORA has been the subject of much debate. In the absence of legal precedent and supervisory guidance, the services that fall into this category were not clear.

Under Article 3(21) of DORA, ICT services are defined as “digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services”. Recital (35) adds that the definition of ICT services should be understood broadly.

Definition of ICT services under the ITS

Annex III of the ITS describes the type of ICT services as follows:

• ICT project management;
• ICT development, including business analysis, software design and development, testing;
• Helpdesk support and first level support relating to ICT incidents;
• ICT security management services, including ICT security protection, detection, response and recovering, security incident handling and forensics;
• Data provider services;
• Data analysis services;
• ICT infrastructure, facilities and hosting services, including the provision of utilities such as energy, heat management, etc., telecom access and physical security (excluding cloud services), payment-processing activities, and operating payment infrastructures;
• Digital processing capabilities, including data computation but excluding cloud services;
• Data storage platform, excluding cloud services;
• Telecommunication systems and flow management, excluding traditional analogue telephone services
• Network infrastructure;
• Hardware and physical devices in a form of a service, including workstations, phones, servers, data storage devices, appliances, etc.;
• Licensing software run on premises, excluding software-as-a-service (SaaS);
• ICT operation management, including infrastructure configuration, maintenance, installing, capacity management, business continuity management, etc.;
• ICT consulting, including intellectual property/ICT expertise services;
• ICT risk management under DORA;
• Infrastructure-as-a-service (IaaS);
• Platform-as-a-service (PaaS);
• Software-as-a-service (SaaS).

Differences between the definition of ICT services under DORA and the ITS

The final wording of the ITS essentially reflects the European Banking Authority’s (EBA) earlier stance, adopting a surprisingly broad interpretation of ICT services. This includes services that are not digital services, data services or delivered over an ICT network. For example, the following are classified as ICT services under the final ITS: intellectual property consulting, ICT project management, simple on-premises software licences without support or additional services, ICT expert services and consulting, and services verifying compliance with ICT risk management requirements (i.e. audits).

The extension of the scope of ICT services under DORA will lead to additional compliance tasks for both financial entities and ICT third-party service providers. Based on the published ITS, it will be necessary to review previously completed registrations and reclassify ICT services, with particular attention to services not previously considered ICT services by financial entities. ICT third-party service providers should anticipate a larger volume of requests to enter into additional contractual agreements with financial entities in order to achieve DORA compliance.

 Background

DORA establishes uniform requirements for the security of network and information systems supporting the business processes of financial entities with the aim of achieving a high common level of digital operational resilience. These measures include ICT risk management, reporting of major ICT-related incidents, digital operational resilience testing and requirements in relation to the contractual arrangements concluded between ICT third-party service providers and financial entities.

As part of their ICT risk management framework, financial entities must maintain and update a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers. The ITS lays down classification rules for the supply chain of ICT service providers and contains important detailed rules regarding the content and completion of the registry of ICT service providers under DORA.

Next steps

In line with DORA, the ITS will apply from 17 January 2025. Both DORA and the ITS will be applicable in all EU member states.

The final ITS is available here. DORA is available here.

CMS is actively advising multinational financial entities and ICT third-party service providers on DORA compliance, specifically in relation to contractual obligations. For more information on how the extended scope of ICT services under the ITS could impact your company, contact your CMS client partner or these CMS experts.

The article was co-authored by János Bálint.