Skip to main content
Logo
European Insurance and Occupational Pensions Authority
 

3551 - DORA 291

Q&A

Question ID: 3551 - DORA 291

Regulation Reference: (EU) 2022/2554 - Digital Operational Resilience Act (DORA)

Article: 3(21)

Status: Rejected

Date of submission: 15 Apr 2026

Question

Article 3(19) of Regulation (EU) 2022/2554 defines an ICT third-party service provider as the undertaking that actually provides an ICT service to a financial entity. Article 30 requires financial entities to include specific provisions in contracts with such providers. How should these requirements apply in the following scenario?    
A financial entity develops and technically operates an ICT service used in the provision of financial services. That service is not distributed directly to end-customers by the financial entity itself, but exclusively through a non-financial commercial partner (e.g. a distributor or reseller), which: 

(1) is the sole contractual counterparty of the financial entity; and 

(2) holds the direct contractual relationship with end-customers, while the financial entity remains in the background as the technical operator.
In this constellation, does the contract between the financial entity and the distributor need to comply with Article 30 of DORA? 

More specifically:


1.    Does the distributor qualify as an ICT third-party service provider within the meaning of Article 3(19), given that it does not itself develop or operate the ICT service?
2.    If not, does the arrangement fall outside the scope of DORA's third-party contractual requirements altogether, on the basis that no ICT third-party service provider is present?


If a DORA-compliant contractual framework is still required, between which parties must it be concluded?

Background of the question

How should DORA be applied in the following constellation: A financial entity (as defined in Article 2 of Regulation (EU) 2022/2554) develops and technically operates an ICT service that is used in the provision of financial services (for example, a white‑label platform or application). This ICT service is distributed, offered and contractually provided to end‑customers exclusively by a non‑financial entity (e.g. a non‑regulated distributor or commercial partner), which: is the sole contractual counterparty of the financial entity, and has the contractual relationship with end‑customers, while the financial entity remains “in the background” as the technical provider/producer of the ICT functionality. In this scenario: Does DORA require that the DORA‑relevant ICT services contract be concluded directly between the financial entity and the actual provider of the ICT service (i.e. the entity that effectively develops and operates the ICT), such that the contractual counterparty and the service provider must be identical for DORA purposes? Or is it sufficient, for DORA compliance, that the financial entity only has a contractual relationship with the non‑financial distributor, even if this distributor does not itself provide the ICT service but merely distributes or resells it, so that no separate DORA‑compliant contractual arrangement with the underlying ICT provider would be required? More generally, in cases where: the ICT service is created and technically provided by a financial entity, and it is distributed or marketed by a non‑financial entity, under which conditions, if any, would such a constellation be considered outside the scope of the DORA contractual requirements (e.g. because there is no “ICT third‑party service provider” within the meaning of Article 3(19) of Regulation (EU) 2022/2554)? We would appreciate EIOPA’s interpretation as to whether, in such arrangements, a DORA‑compliant contractual framework is still required and, if so, between which parties it must be concluded.

EIOPA answer

The question is seeking confirmation of a requirement already clearly set out in the regulation.