---

EU clearer on finance firms’ IT services

Lawyers at A&L Goodbody have welcomed clarification from the European Commission on which types of ICT (information, communication, and technology) services will be covered by new EU legislation on financial firms’ digital operations.  

The EU rules aim to increase the resilience of the European financial market and reduce the risk of cyber-attacks. 

They cover issues such as the reporting of IT-related incidents, information-sharing on cyber-threats, and contracts between financial firms and third-party ICT providers. 

The Digital Operational Resilience Act (DORA) came into force on 17 January, but there had been lingering uncertainty about the definition of ‘ICT services’. 

‘Wait-and-see' approach 

In a note on the firm’s website, the ALG lawyers say that the uncertainty led to “real practical challenges” for financial entities ahead of the DORA implementation date. 

“In practice, this meant that many financial entities felt forced to either adopt an inclusive approach to the definition or alternatively adopt a ‘wait-and-see’ approach,” they state. 

ALG highlights the commission’s statement that the definition should be understood “in a broad manner, to the extent that such services encompass digital and data services provided through ICT systems on an ongoing basis”. 

The commission also sets out how financial firms should assess whether services provided by another financial firm are ‘financial’ and, as a result, not treated as an ‘ICT service’ under DORA. 

“The commission’s clarification is welcome in that it recognises the reality that financial services are largely delivered electronically and inevitably supported by ongoing ICT services, such as information-management platforms,” ALG says.