Search QAs

In 2999 - DORA030 - EIOPA, clarifications were provided on what types of services should be considered ICT services under DORA. It indicates that “In the case that financial entities provide ICT services to other financial entities in connection to their financial services, the receiving financial e…

In the case of global representatives, should contracts with VISA be excluded from the DORA regulation as they were from the EBA regulation?

DORA regulation, Article 25, paragraph 1 has this text

The digital operational resilience testing programme referred to in Article 24 shall provide, in accordance with the criteria set out in Article 4(2), for the execution of appropriate tests, such as vulnerability assessments and scans, open s…

Does an ICT provider’s NIS2 status (including classification as a critical or essential entity) in any way limit the applicability of DORA Articles 28–30 for a financial entity, particularly regarding the requirement to include DORA-aligned contractual provisions and obtain the cooperation needed fo…

Should the definition of ICT service in article 3.21 be deemed to include "Tap to Pay" services where bank customers enroll and digitise their payment cards by using an application in hardware supporting Near Field Communication (e.g. smart phones, smart watches etc.) and which are then used to do p…

Could you kindly advise when the official list of critical ICT third-party service providers under the DORA Regulation is expected to be published? Additionally, would it be possible to obtain any preliminary information regarding this matter and the designation?

Could you please clarify whether contracts with mobile network operators that include IP based communication, mobile data services or software enabled call management functionalities should be considered contracts for third party ICT services under DORA?

What is the purpose of indicating whether subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting in a contract on the use of ICT services that do not support a cr…

Art. 28 states that "Financial entities shall inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions as well as when a function has become critical or important." How should the change be commu…