In order to maintain a high level of digital operational resilience for the whole financial sector, DORA seeks to establish a risk-based regulation focused upon the financial entities’ reliance on the use of ICT services.

For ICT service providers offering services to financial entities, understanding the precise meaning of “ICT services” under DORA is essential for their compliance framework.Ultimately, DORA consideration as regards a service provider are relevant only insofar as the service it provides to the financial entity amounts to an “ICT service”.

The “ICT Services” Definition

DORA does provide a defined meaning to the term “ICT services”, namely that enshrined within DORA’s article 3(21) which reads as follows:

“‘ICT services’ means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;”

It should be observed that the meaning of the term is tied to the terms “digital and data services”, and that the provision of the same is “on an ongoing basis”. However, DORA falls short of providing explicit definitions to such terms on a standalone basis. Similarly, such services need to be “provided through ICT systems” whereby “ICT systems” is also a term that is not defined on an explicit standalone basis (with the exception of the definition as regards “legacy ICT system”).

Examples of “ICT services” are however provided within the definition itself, namely “including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider”, while a specific exclusion as regards traditional analogue telephone services is set out.

Thus, although DORA does provide a definition of the term “ICT services” in its article 3(21), the meaning derived from the term is not exhaustive. However, contextual guidance can be inferred from DORA.

Contextual Guidance

DORA’s Recital 35 is a main source of contextual guidance on the meaning of the term “ICT services”.

This reads as follows: “In order to maintain a high level of digital operational resilience for the whole financial sector, and at the same time to keep pace with technological developments, this Regulation should address risk stemming from all types of ICT services.”(…)”.

Thus, in the context of a risk-based approach, the term “ICT service” is meant to be understood in an open-ended manner. Indeed, such Recital continues:

“(…) To that end, the definition of ICT services in the context of this Regulation should be understood in a broad manner, encompassing digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis. That definition should, for instance, include so called ‘over the top’ services, which fall within the category of electronic communications services.(…)”

The Recital also clarifies that the respective exclusion to analogue telephone services should be interpreted restrictively, to “exclude only the limited category of traditional analogue telephone services qualifying as Public Switched Telephone Network (PSTN) services, landline services, Plain Old Telephone Service (POTS), or fixed-line telephone services.”

ICT service providers may find further contextual clarity by looking at certain obligations which their financial entity customers are obliged to abide by in terms of DORA. Key amongst such obligations, are those related to the register of information.

As part of their ICT risk management framework, financial entities are required by DORA to maintain a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers. Financial entities are also required to make available to the competent authorities the register of information along with any information deemed necessary to enable the effective supervision of the financial entity and for acquiring a broader understanding of the ICT dependencies of the financial entity.

DORA’s currentDraft Implementing Technical Standard on the Register of Information set out that when referring to a type of ICT services in the templates of the register of information, only the service identifier of the relevant type of ICT services shall be reported by the financial entity.

In turn, it sets out 19 service identifiers for 19 different types of ICT services, being:

  1. ICT project management
  2. ICT Development
  3. ICT help desk and first level support 
  4. ICT security management services
  5. Provision of data
  6. Data analysis
  7. ICT, facilities and hosting services (excluding Cloud services)
  8. Computation
  9. Non-Cloud Data storage
  10. Telecom carrier
  11. Network infrastructure
  12. Hardware and physical devices
  13. Software licencing (excluding SaaS)
  14. ICT operation management (including maintenance)
  15. ICT Consulting
  16. ICT Risk management
  17. Cloud services: IaaS
  18. Cloud services: PaaS
  19. Cloud services: SaaS

Some further basic elaboration of the meaning of each of the 19 types of ICT services is also provided within Annex III of DORA’s currentl Draft Implementing Technical Standard on the Register of Information.

This is the second article in our series “The DORA Edge: Empowering ICT Providers in Financial Services.”.

For information or assistance please contact us at info@gtg.com.mt

Author: Dr Terence Cassar

Disclaimer This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.
Skip to content