- Question ID
-
2025_7421
- Legal act
- Regulation (EU) No 2022/2554 (DORA Reg)
- Topic
- ICT third-party risk management
- Article
-
3
- Paragraph
-
1
- Subparagraph
-
19
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Not applicable
- Article/Paragraph
-
N/A
- Type of submitter
-
Consultancy firm
- Subject matter
-
Definition and Scope of DORA
- Question
-
- Does the definition of 3.19 include all service providers - no matter the relevance of their service for the digital resilience of the financial service e.g. providers of an employee survey tool or a recruitment tool, where the absence of their services would no have no impact on the resilience security of network and information systems supporting the business processes of financial entities.
- If in the affirmative, does this mean that any ICT third-party service provider falls within the scope of DORA ( see Article 2.1(u). As a consequence a service a digital employee exercise app provider will fall within the scope of DORA if they sell their services to a financial service provider?
- If in the affirmative, is this proportionate with regard to the impact that this has on ICT third-party service providers whose services have no impact on the security of network and information systems supporting the business processes of financial entities.
- If in the affirmative, do the financial authorities now have competence over all ICT third-party service providers, regardless of what kind of services they provide as long as they are providing services to a financial entity?
* financial entity = or any other entity besides an ICT service provider
- Background on the question
-
The background of this question is that banks and other financial institutions are requesting, with reference to DORA, that ICT service providers who have no impact on the security of network and information systems supporting the business processes of financial entities, to amend contracts.
- Submission date
- Rejected publishing date
-
- Rationale for rejection
-
This question has been rejected because it is considered that EBA guidance or clarification is not needed with regard to the issue that it raises. This can be the case where that the existing regulatory framework is considered sufficiently clear and unambiguous.
The Single Rule Book Q&A tool has been established to provide explanations and non-binding interpretations on questions relating to the practical application or implementation of the provisions of legislative acts referred to in Article 1(2) of the EBA’s founding Regulation, as well as associated delegated and implementing acts, and guidelines and recommendations, adopted under these legislative acts.
For further information on the purpose of this tool and on how to submit questions, please see “Additional background and guidance for asking questions”.
- Status
-
Rejected question