DORA: new guidance brings some clarity for classifying ICT services

The clarifications, shared in recent guidance provided by the European Commission and published by the European Insurance and Occupational Pensions Authority (EIOPA), arrive at a significant time, as financial institutions continue to deal with DORA compliance requirements in the aftermath of 17 January 2025 when the new regime took effect, with non-compliant financial services providers now exposed to potential regulatory enforcement action.

It also comes at a time when many financial institutions are still wrestling with how to categorise various services that either have been or are delivered through ICT components. While the guidance has been given by EIOPA, it is equally applicable to firms supervised by the other EU supervisory authorities in financial services – the European Banking Authority (EBA) and European Securities and Markets Authority (ESMA).

What the new guidance says  

The guidance sets out the obvious baseline principle that DORA intentionally includes a wide-ranging definition of ICT services. However, it provides more clarity by establishing a nuanced framework for determining whether services provided by other regulated financial entities to a financial entity within DORA’s scope should be classified as ICT services when those services include ICT components. According to the guidance, where a financial entity is within DORA’s scope and it receives a service from another regulated financial entity, the financial entity regulated by DORA must conduct a two-part assessment to evaluate the service it receives.

First, it must determine whether the service matches the elements for an ICT service set out in DORA's definition. Second, it must verify both that the service provider is regulated as a financial entity and the relevant service is a regulated financial service under: EU law; national legislation of an EU member state; or legislation of any third country – that is, regulated anywhere else in the world.

When both criteria are met, the service should be classified as a financial service rather than an ICT service for the purposes of DORA, so long as it meets a further “independence test” which the guidance establishes.

The independence test

A key aspect of the guidance is its introduction of an "independence test" for services provided by regulated financial entities. The classification framework includes two key scenarios:

• Connected services – when ICT services are provided in connection with regulated financial services, they should be classified as financial services, provided they meet the two-part assessment criteria.
• Independent services – if a regulated financial entity provides services that are either unrelated to or independent of their regulated financial services, these should be classified as ICT services under DORA, regardless of the provider's status as a regulated entity.

The guidance also extends this classification framework to ancillary services for which the treatment follows similar principles. Services are not considered ICT services under DORA if they are:

• inseparable from regulated financial services;
• indivisible from regulated financial services;
• preparatory to regulated financial services;
• ·necessary for the provision of regulated financial services.

Conversely, ancillary services provided on a standalone basis should be classified as ICT services under DORA, applying the same logic as services that are independent from financial services provided by regulated entities.

Implications for financial institutions

The guidance has several important implications for financial institutions. While most regulated entities will have conducted a thorough review of their key service relationships for compliance with DORA by now, further scrutiny should be given to services with ICT components provided by regulated financial entities.

Financial institutions will need to adapt their approach to classification to consider both the nature of the service and the regulatory status of the provider before reaching a conclusion regarding the service relationship’s correct classification. They should also review previous classifications made on a “best efforts” basis, as these may now be inconsistent with the new guidance.

The DORA-mandated register of information may need to be revised to include or exclude some third-party arrangements, depending on whether the regulated entity finds itself to have been over- or under-inclusive of relevant relationships in light of the guidance. The list of contracts to review and amend, where they do not meet DORA’s mandatory contractual requirements, will also need to be assessed.

This guidance on ICT services under DORA represents a significant step forward in clarifying DORA’s scope and application. It provides financial entities with a structured framework for service classification when services are received from other regulated providers. As regulated entities continue with their DORA implementation activities, it will serve as an important reference point for service classification which builds further upon the guidance provided by the ESAs in the form of FAQs last year.

The ESAs FAQs document, last updated July 2024, sets out additional context on the definition of ICT services. It clarifies that one-time purchased ICT services – single, static solutions – without ongoing maintenance, support or updates, are not considered ICT services. This interpretation helps financial entities distinguish between one-off technology purchases and the continuous service relationships that DORA aims to regulate, although it does not help clarify the approach that should be taken where the arrangement is somewhere in between.

The FAQs also provide for non-regulated participants in the payment services ecosystem, providing payment-processing activities, or operating payment infrastructures, to be considered ICT third-party service providers. Careful consideration therefore needs to be given to both the FAQs and this new guidance to ensure that decisions regarding classification are not made which are inconsistent with the ESAs’ expectations.  

The challenge now lies in practical implementation, as financial entities must apply these principles across their diverse service relationships while maintaining comprehensive documentation of their assessment processes and decisions. To meet the expectations of regulators, financial institutions should carefully balance the details set out in this guidance with practical risk and security considerations, ensuring that service classifications align with DORA's overarching goal of enhancing the financial sector's operational resilience.