If you work in or around the EU financial sector, you need to know what counts as an ICT service under DORA, the Digital Operational Resilience Act (Regulation (EU) 2022/2554). Get it wrong and you either miss obligations or waste time on requirements that do not apply.
The Official Definition: Article 3(21) of DORA
DORA’s glossary lives in Article 3, and point 21 is where the ICT service definition sits. Here it is, directly from the regulation:
“ICT services” means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services, which include the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analog telephone services.
That is the legal anchor. Everything else in this article builds from it. Let me unpack what each part of that definition actually means.
Why It Is Deliberately Broad
DORA’s Recital 35 confirms that the definition should be understood in a broad manner, and explicitly includes so-called “over the top” services that fall within the category of electronic communications services. The European Commission reinforced this, confirming through the ESAs’ joint Q&A process that the definition of ICT services intentionally maintains a broad scope.
Practical Examples
| Service | In Scope? |
|---|---|
| Cloud (IaaS/SaaS) | Yes |
| Managed security (SOC) | Yes |
| Hardware with firmware updates | Yes |
| One-time implementation | Borderline |
| Analogue telephone | No |
The Two Tiers That Matter
Not all ICT services carry the same weight. If an ICT service supports a critical or important function, meaning its disruption would materially impair the financial entity’s performance, continuity, or regulatory compliance, stricter contractual and governance requirements apply. Separately, the ESAs can designate individual ICT third-party service providers as critical at the EU level based on systemic impact criteria. These are two different classifications and should not be conflated.
Your Starting Point
Assume a service qualifies unless you can clearly show otherwise. Then ask: which business functions does it support, are any of those critical or important, and what contractual obligations follow? That sequence keeps you compliant and focused.
