2024_7089 Identification of ICT Service Providers

Question ID: 2024_7089
Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
Topic: ICT third-party risk management
Article: 28
Paragraph: 3
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations: Not applicable
Article/Paragraph: ITS Recital 7
Name of institution / submitter: AFME
Country of incorporation / residence: Belgium
Type of submitter: Industry association
Subject matter: Identification of ICT Service Providers
Question: Can the ESAs confirm there is no expectation to capture within the Register of Information the ICT subcontractors of non-ICT service providers?
Background on the question: Recital 7 of the ITS suggests financial entities should consider whether non-ICT service providers are relying on ICT services. If so, it is understood that for the purposes of the Register of Information such providers may be treated as an ICT provider. This would see their ICT subcontractors listed in the Register, provided they effectively underpinned services supporting critical or important functions.
Submission date: 20/05/2024
Final publishing date: 08/08/2025
Final answer: Where the direct third-party service provider of a financial entity does not provide an ICT service, the service falls outside of the scope of the DORA register of information. In case the said third-party service provider uses ICT services for the fulfilment of its contracted services through the use of ICT subcontractors, those remain outside the scope of the register of information (DORA Article 28.3). Therefore, such use of ICT services through ICT subcontractors does not need to be documented in the DORA register of information.
Financial entities are still required to comply with any relevant requirements under other applicable financial legislation, for instance, the EBA Guidelines.
It should be stressed that in case the financial entity considers, as part of its risk assessment, that the ICT service provided by the ICT subcontractor supports a critical or important function or material parts thereof to an extent that it could be requalified as equivalent to an ICT service provided directly to the financial entity, the DORA Chapter V requirements will apply.
Status: Final Q&A
Answer prepared by: Answer prepared by the Joint ESAs Q&A

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting

Data

Publications

Media centre

Disclaimer