- Question ID
-
2024_7096
- Legal act
- Regulation (EU) No 2022/2554 (DORA)
- Topic
- Oversight framework of CTPPs
- Article
-
31
- Paragraph
-
8
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Not applicable
- Article/Paragraph
-
/
- Type of submitter
-
Credit institution
- Subject matter
-
Exemption for Non-EU ICT Intra-group Service Providers
- Question
-
Is it accurate to interpret that an ICT intra-group service provider established outside the EU (non-EU country), providing critical services to an EU-based financial institution (parent undertaking), falls within the exemption outlined in Article 31(8) of DORA, thereby exempting the need for establishing a subsidiary within the EU?
- Background on the question
-
In accordance with the provision of Article 31(12) of DORA, financial institutions may use the services of ICT providers from third countries that have been designated as critical only if these providers have established a subsidiary in the EU within 12 months of the designation. However, paragraph 8 of the same article provides exceptions, which include ICT intra-group service providers. The third-party provider is part of a financial group with the parent undertaking established in an EU country, while the third-party provider itself is established in a non-EU country. The provider primarily offers services to financial institutions within the same group and in our assessment meets the criteria for an "ICT intra-group service provider" as defined in Article 3(20). The bank is inquiring whether, in this case, the third-party provider is required to establish a subsidiary in the EU.
- Submission date
- Final publishing date
-
- Final answer
-
In accordance with Article 31(8) point (iii) of DORA, the designation as critical ICT third-party provider referred to in Article 31(1) of DORA does not apply to ICT intra-group service providers. That provision does not make a distinction between intra-group providers established within the Union or in a third country
Since intra-group service providers as defined in Article 3(20) of DORA (which is “an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control”) are not subject to a designation as critical, the conditions for an application of Article 31(12) of DORA cannot be met for those providers, and the requirement for an EU-based subsidiary does not apply.
- Status
-
Final Q&A
- Answer prepared by
-
Answer prepared by the Joint ESAs Q&A
Disclaimer
The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.