Question ID
2024_7290
Legal act
Regulation (EU) No 2022/2554 (DORA Reg)
Topic
ICT third-party risk management
Article
3
Paragraph
21
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
Not applicable
Article/Paragraph
N/A
Type of submitter
Credit institution
Subject matter
Definition and scope of ICT services
Question

What is the correct reading of Article 3 (21) and Recital 63, Article 2 and Article 58(2) of Regulation (EU) No. (EU) 2022/2554 (DORA Reg) in combination with  the COM/2023/0365 European Commission Report on the review of Directive 2015/2366/EU ?

Background on the question

In our understanding, in line with the European Commission report COM/2023/0365, payments systems and entities involved in payment processing activities should not be treated as entities falling within scope of DORA Regulation to whom DORA requirements would be applicable directly (as financial institutions listed in Article 2 (Scope) of DORA) and that consequentially would be subject to direct oversight by competent authorities. 

However, it does not affect that such operators of payments systems and entities involved in payment processing activities should be treated as ICT service providers by financial institutions, as established by Recital 63, whereas operation of such payment processing systems/infrastructures/networks should be treated as ICT services by financial entities. Consequentially, mandatory DORA requirements should be applied to such arrangements impacting such payment system operators indirectly, as they in essence match the "ICT services'' definition provided by Article 3 (21) of DORA Regulation. Inter alia, it would include securing contractual framework that match the requirements of Articles 28 and 30.

Various major payment systems/infrastructure providers are refusing to negotiate terms of agreements governing use of their payment systems/infrastructures, arguing that requirements set by DORA are not applicable to payment systems/infrastructures.

Submission date
Final publishing date
Final answer

Article 2(1) of the Digital Operational Resilience Act (DORA) introduces the entities within the scope of DORA. Providers of payment-processing activities or operating payments infrastructures, including payment card schemes, are not included in said Article and, therefore, are not to be considered financial entities within the scope of DORA.

Article 3(21) of DORA defines ‘ICT services’ as digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services.

Recital (63) of DORA specifies that providers of payment-processing activities or operating payments infrastructures should be considered to be ICT third-party service providers under DORA, with the exception of central banks when operating payment or securities settlement systems, and public authorities when providing ICT related services in the context of fulfilling State functions.

It follows from the above that any relevant service provided by providers of payment-processing activities or operating payments infrastructures that falls within the definition under Article 3(21) of DORA, should be considered as an ICT service under DORA. Therefore, financial entities should ensure they comply with relevant provisions of DORA relating to the services provided by these ICT third-party service providers.

It should, however, be noted that not all services provided by these providers, including payment card schemes, are to be considered ICT services. Services provided by a governance body of a scheme or business processes of the providers of payment-processing activities or operating payments infrastructure without a prevailing ICT component, such as clearing and settlement, should not be considered within the scope of ICT services under Article 3(21) of DORA.

Finally, it should be noted that in accordance with Article 31(8)(ii) of DORA, ICT third-party service providers that are subject to oversight frameworks established for the purposes of supporting the tasks referred to in Article 127(2) of the Treaty on the Functioning of the European Union, shall not fall within the scope of the oversight framework of critical ICT third-party service providers under DORA.

Status
Final Q&A
Answer prepared by
Answer prepared by the Joint ESAs Q&A

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.