Question ID: DORA 204 - 3277
Regulation Reference: (EU) 2022/2554 - Digital Operational Resilience Act (DORA)
Topic: Other DORA topics
Article: 9(1)
Status: Rejected
Date of submission: 03 Mar 2025
Question
Since there many requirements directed at ICT systems but there is no definition id like to know if ICT-Systems are definable by the following: An ICT system is a collection of multiple different productive ICT Assets (e.g., a database, a virtual server and the installed software artifact on it) that serve a definable business or technical purpose.
Background of the question
1. Since ICT asset can be interpreted as the a part of an ICT system a for example: - blank virtual server qualifies as an ICT asset Therefore, at least one software artifact must be installed for it to be considered an ICT system - Additionally, an ICT system can exist without a database. 2. ICT systems need to be operational to be recognized as ICT system thus considered "productive". Additionally, ICT systems can be distinguished by the environment in which they operate (e.g., test environments, production environments); therefore, financial institutions can differentiate requirements based on these environments. 3. Since ICT systems are usually not created and operated for fun, they must serve a defined functional purpose (e.g., processing customer payments) or a technical purpose (e.g., attack detection).
EIOPA answer
This question has been rejected because the issue it deals with is already explained in the Regulation (Art. 3 (2) of DORA which fully covers the definition raised by the submitter).