We refer to the upcoming entry into application of the DORA regulation. An institution for occupational retirement has recently contacted the NCA regarding the following issue: - that institution for occupational retirement provides pension benefits for contractual agents (employees) of a regional public authority; - a public administration body belonging to the same regional public authority provides data management services to the benefit of that institution for occupational retirement. The public administration body manages the salary data of the contractual agents and transmits the data to the pension administrator, which then calculates the pension benefits. The public administration body also calculates the supplementary annuity benefits that are payed by the institution for occupational retirement. The pension benefits are payed by the institution for occupational retirement itself; - the public administration body is the dedicated entity providing HR services to the regional public authority. It has no separate legal personality from the regional public authority. The service provision is enshrined in regional legislation and the public administration body receives no remuneration for the services (although it is supported by the budget of the regional public authority). We understand that ICT services within the meaning of article 3, 21) of DORA include data management services such as those referred to above. However, provisions of the DORA regulation seem to exclude, under certain circumstances, public administration bodies from the definition of ICT third-party service providers: - According to article 3, 19) of the DORA regulation, an ICT third-party service provider is an undertaking providing ICT services. That wording seems to capture entities that qualify as undertakings. - Recital 63 contains the following passage: “Lastly, in light of the evolving payment services market becoming increasingly dependent on complex technical solutions, and in view of emerging types of payment services and payment-related solutions, participants in the payment services ecosystem, providing payment-processing activities, or operating payment infrastructures, should also be considered to be ICT third-party service providers under this Regulation, with the exception of central banks when operating payment or securities settlement systems, and public authorities when providing ICT related services in the context of fulfilling State functions.”. Although one could consider that the last part of the sentence only applies in the context of the payment services, another (broader) interpretation could be that recital 63 generally excludes public authorities (when fulfilling State functions) from the concept of ICT third-party service provider. Considering the precedent value of this case, we would be grateful if you could provide some guidance on this. Following a first analysis - and without prejudice to a final assessment - we seek the ESAs views on specific arguments that would tend to indicate that the public administration body should not be considered to be an ICT third-party service provider: - Entities that are no undertakings are not captured by the definition of ICT third-party service provider. Moreover, a broad reading of recital 63 would imply that public authorities are not ICT third-party service providers when fulfilling State functions (even outside the context of payment services). - In that respect, the abovementioned public administration body presents features that are not typical of a commercial undertaking: it lacks a separate legal personality, does not perceive a renumeration and performs its tasks by virtue of a legislative text. It also provides ICT services to an institution for occupational retirement that only caters to civil servants, so that it could be argued that it fulfils State functions (although the services could – at least theoretically – also be sourced on the market). We look forward to receiving your feedback on this. Please do not hesitate to contact us, should you wish to discuss this any further or should you have any questions or remarks regarding the above. Considering the imminent entry into force of the DORA framework (and the reporting deadlines regarding the register of informations), we would very much appreciate if you could consider this question urgently.