Following the entry into force of Regulation (EU) 2022/2554 on digital operational resilience in the financial sector last Friday, the European Commission has now published the eagerly awaited Q&A on the question of which services fall under the definition of ICT services according to Art. 3(21) DORA (2999 - DORA030).
This clarifies that financial services may include an ICT component. Financial entities receiving ICT services from other financial entities must assess whether
- the services constitute an ICT service under DORA, and
- whether the providing financial entities and the financial services they provide are regulated under Union law or any national legislation of a Member State or of a third country.
If both conditions are met, the related ICT service should be considered to predominantly be a financial service and should not be treated as an ICT service within the meaning of DORA Article 3(21). In case the service is provided by a regulated financial entity that provides regulated financial services, but the service is not related to or independent from such regulated financial services, the service should be categorised as an ICT service within the meaning of Article 3(21) DORA (only if the criteria of the definition are met).
As a regulated entity, CCPA only provides clearing services within the scope of its EMIR authorisation and does not provide any other services (in particular, no services not covered by its EMIR authorisation). The clearing services are provided with the help of ICT systems, which have only a supporting function for the clearing services. These ICT systems do not constitute a separate service but are inextricably linked to the financial services provided. Therefore, the clearing services of CCPA do not constitute ICT services within the meaning of DORA.
