The Joint Statement on DORA and Definition of ICT Service Provider was published on the 1st of October 2024, by The Association for Financial Markets in Europe (AFME), The European Association of CCP Clearing Houses (EACH), The European CSD Association (ECSDA), The Federation of European Securities Exchanges (FESE), and the Futures and Options Association (FIA).
KPMG’s Risk Consulting Partner and DORA Co-Lead Jackie Hennessy and the Risk Consulting team reviewed the publication and have summarised the key messages.
Interpretation of the definition of ‘ICT Services’
The Dry-Run Exercise on the Register of Information (ROI) has reinforced the concern that there is on-going divergence among industry stakeholders regarding the interpretation of the definition of ‘ICT Services’ under DORA, and when financial entities, including financial market infrastructures (FMIs), may be seen as ICT service providers.
Industry urges the ESAs to reinstate guidance
The industry urges the ESAs to reinstate the guidance on this to ensure financial entities need to treat services provided by other financial entities as ICT services under DORA only if such services are primarily ICT-focused in their nature and purpose, such as cloud computing services, software, and data service centres as specified.
Potential entity-level class exemption
The industry notes that for a significant number of arrangements with financial entities, in particular with FMIs, it may be more suitable at a future date to consider an entity-level class exemption (e.g., for services provided by entities acting as trading venue operators, central securities depositories, central counterparties, credit institutions and investment firms) given the generalised definition of ICT services in DORA and the oversight financial services regulators already exercise over the contractual arrangements of these entities.
Considering that it is at the discretion of financial entities to classify the ICT services they receive and establish that these services support critical or important business function (“CIFS”), the exemption would ensure that regulated financial entities are not at risk of being unintentionally captured by the DORA regime for their already regulated activities.
Prepare for January
With the continuing evolution of the regulation, Hennessy advises that preparation will need to continue for some time to come.
"This is the first time for all firms in demonstrating this level of compliance from a digital resilience perspective, there is no blueprint. It is also not yet fully understood how it will be regulated. Most organisations will already have done their gap analyses and put in place programmes to address the gaps, but that is just the start. A number of new regulatory and technical standards have just been released, and more are on the way. The target is moving, and the gap analysis is never complete. Programmes will need to be flexible to comply with new standards pretty quickly."
Get in touch
Whether you require additional resources or expert knowledge, the skills across our Consulting practice can be drawn upon to aid with the various aspects of your DORA programme.
If you would like to discuss the potential impact of DORA on your business, please contact Jackie Hennessy or Dani Michaux of our Digital Operational Resilience team. We look forward to hearing from you.
Jackie Hennessy
Partner
KPMG in Ireland
Dani Michaux
Partner, EMA Cyber Leader
KPMG in Ireland
