Recital 63 sentence 1 DORA provides that DORA should cover, as a general rule, a wide range of ICT third-party service providers. Recital 63 sentence 2 DORA then provides and clarifies that undertakings which are part of a financial group and provide ICT services predominantly to their parent undertaking, or to subsidiaries or branches of their parent undertaking, as well as financial entities providing ICT services to other financial entities, should also be considered as ICT third-party service providers under DORA. Recital 63 sentence 3 DORA provides for a very specific part of the financial industry, namely for participants in the payment services ecosystem, providing payment-processing activities, or operating payment infrastructures, that such participant should also be considered to be ICT third-party service providers under DORA.

In this same sentence of recital 63 sentence 3 DORA the last half-sentence provides two exemptions, (i) central banks when operating payment or securities settlement systems (which is understandable in this context in view of operating payment systems, but not quiet in view of securities settlement systems, since recital 63 sentence 3 DORA deals with payment systems and the payment services ecosystem, but not with securities settlement systems), and (ii) public authorities when providing ICT related services in the context of fulfilling State functions, whereas the latter is not qualified to payment systems, the payment ecosystem, securities settlement systems, or whatsoever.

The original proposal of the European Commission of 24.9.2020 did not include any provisions that now have become law in recital 63. It seems that this amendment was included by the Council Mandate (as set out in the Three-column table to commence trilogues of Council of the European Union of 17 January 2022, 5297/22). The rationale behind this amendment cannot be determined based on the published documents relating to the legislative process.

Therefore, it is not clear, whether the exemption for public authorities is meant as a general rule (for any ICT related service in the context of fulfilling State functions), or whether such ICT related service of a given public authority needs to be a qualified ICT related service (e.g. payment service).

In this context it is in addition not clear, whether an 'ICT related service' (which is not defined in DORA) is wider (which seems to be the case) than an 'ICT service'.

For example, would a public administration entity that provides software tools to financial institutions to administrate subsidies (e.g. refinanced by EU Institutions) not be considered as an ICT third-party service provider, since it provides obviously ICT related services (if not ICT services), but - as a public authority - such services are provided in the context of fulfilling a State function (meaning: governmental economic development of regions)? As a consequence, such public authority would not need to be included in the ICT third-party risk management by the financial institution.