2025_7421 Definition and Scope of DORA | European Banking Authority

Question ID

2025_7421

Legal act

Regulation (EU) No 2022/2554 (DORA Reg)

Topic

ICT third-party risk management

Article

Paragraph

Subparagraph

COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations

Not applicable

Article/Paragraph

N/A

Type of submitter

Consultancy firm

Subject matter

Definition and Scope of DORA

Question

Does the definition of 3.19 include all service providers - no matter the relevance of their service for the digital resilience of the financial service e.g. providers of an employee survey tool or a recruitment tool, where the absence of their services would no have no impact on the resilience security of network and information systems supporting the business processes of financial entities.
If in the affirmative, does this mean that any ICT third-party service provider falls within the scope of DORA ( see Article 2.1(u). As a consequence a service a digital employee exercise app provider will fall within the scope of DORA if they sell their services to a financial service provider?
If in the affirmative, is this proportionate with regard to the impact that this has on ICT third-party service providers whose services have no impact on the security of network and information systems supporting the business processes of financial entities.
If in the affirmative, do the financial authorities now have competence over all ICT third-party service providers, regardless of what kind of services they provide as long as they are providing services to a financial entity?

* financial entity = or any other entity besides an ICT service provider

Background on the question

The background of this question is that banks and other financial institutions are requesting, with reference to DORA, that ICT service providers who have no impact on the security of network and information systems supporting the business processes of financial entities, to amend contracts.

Submission date

22/04/2025

Rejected publishing date

04/09/2025

Rationale for rejection

This question has been rejected because it is considered that EBA guidance or clarification is not needed with regard to the issue that it raises. This can be the case where that the existing regulatory framework is considered sufficiently clear and unambiguous.

The Single Rule Book Q&A tool has been established to provide explanations and non-binding interpretations on questions relating to the practical application or implementation of the provisions of legislative acts referred to in Article 1(2) of the EBA’s founding Regulation, as well as associated delegated and implementing acts, and guidelines and recommendations, adopted under these legislative acts.

For further information on the purpose of this tool and on how to submit questions, please see “Additional background and guidance for asking questions”.

Status

Rejected question

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting

Data

Publications

Media centre