Question ID
2025_7415
Legal act
Regulation (EU) No 2022/2554 (DORA Reg)
Topic
ICT-related incidents (management / classification / reporting)
Article
3
Paragraph
21
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
Regulation (EU) 2024/2956 - ITS on the register of information
Article/Paragraph
Annex 3
Type of submitter
Law firm
Subject matter
Definition of ICT service
Question

If a supplier must provide an ICT Service to fall under DORA, how should we determine what qualifies? Should we rely on the DORA regulation’s definition of an ICT Service, or should we use the Annex 3 list (S01-S19) from the ITS Register of Information?

Background on the question

There is some hesitancy in relying on the Annex to determine whether a supplier is providing an ICT service. This concern stems from two key issues: firstly, the Annex appears to include service types that extend beyond the original definition of ICT services under DORA. Secondly, there is an implication that a single identifier or code must be consistently applied across the entire supply chain. For instance, if a telecommunications provider is classified under a specific code (e.g., S10 for Telecom Carrier Services), that same code might need to be used for all associated suppliers, even if they provide unrelated services such as ICT helpdesk support (e.g., S03). This approach suggests that the Annex primarily addresses direct third-party service providers, rather than entities further along the supply chain.

Submission date
Rejected publishing date
Rationale for rejection

This question has been rejected because the matter it refers to has been answered/is in the process of being answered in Q&As DORA030 and DORA095.

Status
Rejected question