{"id":47878,"date":"2025-04-15T08:55:51","date_gmt":"2025-04-15T08:55:51","guid":{"rendered":"https:\/\/my.legal500.com\/developments\/?post_type=press_releases&#038;p=47878"},"modified":"2025-04-15T08:56:03","modified_gmt":"2025-04-15T08:56:03","slug":"definition-of-ict-services-under-dora-new-forms-for-ict-third-party-arrangements-ict-outsourcing-arrangements","status":"publish","type":"press_releases","link":"https:\/\/my.legal500.com\/developments\/press-releases\/definition-of-ict-services-under-dora-new-forms-for-ict-third-party-arrangements-ict-outsourcing-arrangements\/","title":{"rendered":"Definition of \u201cICT services\u201d under DORA | New forms for ICT-third party arrangements \/ ICT outsourcing arrangements"},"content":{"rendered":"<ol>\n<li><strong> Clarification on definition of \u201cICT services\u201d<\/strong><\/li>\n<\/ol>\n<p><strong>The CSSF would like to draw the attention of all supervised entities to the ESAs\u00a0<a href=\"https:\/\/tools.eba.europa.eu\/interactive-tools\/2024\/powerbi\/jointqa_visualisation_page.html\">joint Q&amp;As<\/a>\u00a0answer to the question\u00a0<a href=\"https:\/\/www.eiopa.europa.eu\/qa-regulation\/questions-and-answers-database\/2999-dora030_en\">DORA030<\/a>\u00a0on what types of services should be considered \u201cICT services\u201d based on the definition of DORA Article 3(21).<\/strong><\/p>\n<p><!--more--><\/p>\n<p>The answer provided by the European Commission confirmed that the definition of \u201cICT services\u201d intentionally maintains a broad scope and provides further clarifications. We strongly recommend supervised entities to review the Commissions answer in detail as it may concern them, either as an entity in scope of DORA or as a service provider of entities in scope of DORA.<\/p>\n<p>Furthermore, we would like to clarify that\u00a0<strong>financial services<\/strong>\u00a0provided by professionals of the financial sector\u00a0<strong>other than<\/strong>\u00a0those covered by\u00a0<a href=\"https:\/\/www.cssf.lu\/fr\/Document\/loi-du-5-avril-1993\/\">Articles 29-3 to 29-6 of the Law of the Financial Sector of 5 April 1993<\/a>\u00a0are\u00a0<strong>not to be considered<\/strong>\u00a0an ICT service within the meaning of DORA. On the contrary,\u00a0<strong>services offered by professionals of the financial sector which are covered by Articles 29-3 to 29-6 of the LFS, considering the nature of these services, must be considered as an ICT service in the meaning of DORA Article 3(21) in all cases<\/strong>, even though they are provided by a regulated financial entity.<\/p>\n<ol start=\"2\">\n<li><strong> Notification of an ICT third-party arrangement supporting a critical or important function under DORA regulation<\/strong><\/li>\n<\/ol>\n<p>Today the CSSF published a new notification form for financial entities subject to DORA<sup>1<\/sup>\u00a0to notify the CSSF, according to Article 28(3) of DORA, in a timely manner about (a) any planned contractual arrangement regarding the use of ICT services supporting critical or important functions as well as when (b) a function has become critical or important.<\/p>\n<p>In the case (a) mentioned above, the prior notification shall be done by the Financial Entity as early as possible before the planned implementation date of the ICT third-party arrangement but, in any case, at least three (3) months or one (1) month (when resorting to a Luxembourg support PFS) before this date. In the case (b) mentioned above, the notification shall be done by the Financial Entity without undue delay.<\/p>\n<p>This form shall be used as of today for the submissions of notifications. In order not to penalise entities that are well advanced in the preparation of a notification based on the previous form, financial entities may introduce notifications using the previous form during a transitional period until 10 May 2025. After this date only notifications received with the new form will be considered as notified in line with the instructions and forms available in accordance with sub-chapter 2.1 of Circular CSSF 25\/882 on requirements on the use of ICT third-party services for Financial Entities subject to the Digital Operational Resilience Act (DORA).<\/p>\n<p>The CSSF would like to remind financial entities of the following, which was already published in the\u00a0<a href=\"https:\/\/www.cssf.lu\/en\/2024\/12\/dora-regulation-reminders-and-advice-on-preparedness\/\">communiqu\u00e9 of 5 December 2024<\/a>:<\/p>\n<ol>\n<li>Previously notified\u00a0ICT outsourcing arrangements under Circular CSSF 22\/806\u00a0are\u00a0<strong>not required to be re-submitted in the context of DORA<\/strong>.<\/li>\n<li>Contractual arrangements on the use of ICT services already in place prior to 17 January 2025 and which have not been notified under Circular CSSF 22\/806\u00a0<strong>because they do not qualify as a critical or important ICT outsourcing under the circular<\/strong>,\u00a0<strong>are also not required to be submitted as notifications\u00a0to the CSSF<\/strong>, however they need to be listed in the Register of Information.<\/li>\n<\/ol>\n<ul>\n<li>9 April 2025<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.cssf.lu\/en\/Document\/notification-of-an-ict-third-party-arrangement-supporting-a-critical-or-important-function-as-required-under-dora\/\">Notification of an ICT third-party arrangement supporting a critical or important function as required under DORA<\/a><\/p>\n<p>Form<\/p>\n<p><a href=\"https:\/\/www.cssf.lu\/wp-content\/uploads\/Form_ICT_TPP_notification_under_DORA.docx\">DOCX (173.98Kb)<\/a><\/p>\n<ol start=\"3\">\n<li><strong> Notification of a critical or important ICT-outsourcing for entities not subject to DORA<\/strong><\/li>\n<\/ol>\n<p>For supervised entities not subject to DORA<sup>2<\/sup>, the requirements of Circular CSSF 22\/806, as amended by Circular CSSF 25\/883 remain applicable and therefore they shall continue to submit notifications according to the following form. Please note that this form has been updated to remove two questions related paragraph 143 of Circular CSSF 22\/806 as this paragraph has been repealed from the circular.<\/p>\n<p>For any further questions please contact:\u00a0<a href=\"mailto:ictrisksupervision@cssf.lu\">ictrisksupervision@cssf.lu<\/a>.<\/p>\n<ul>\n<li>17 February 2023\u00a0&#8211;\u00a0Updated on 9 April 2025<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.cssf.lu\/en\/Document\/notification-of-critical-or-important-ict-outsourcing\/\">Notification of critical or important ICT outsourcing<\/a><\/p>\n<p>Version 3<\/p>\n<p>Form<\/p>\n<p><a href=\"https:\/\/www.cssf.lu\/wp-content\/uploads\/Form_notification_of_CoI_ICT_outsourcing_cssf22_806.docx\">DOCX (146.17Kb)<\/a><\/p>\n<p><sup>1<\/sup>\u00a0Financial entities defined in Article 2(1)(a) to (i), (k) to (m), (p), (r) and (s), and within the meaning of Article 2(2) of Regulation (EU) 2022\/2554 on digital operational resilience for the financial sector<\/p>\n<p><sup>2<\/sup>\u00a0As defined in Chapter 2 of Circular CSSF 22\/806 as amended by Circular CSSF 25\/883: Specialised and support professionals of the financial sector, POST Luxembourg, branches in Luxembourg of credit institutions, investment firms and payment and e-money institutions incorporated in a third country, and management companies authorised only under Article 125-1 of Chapter 16 of the UCITS Law.<\/p>\n","protected":false},"featured_media":0,"template":"","class_list":["post-47878","press_releases","type-press_releases","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/my.legal500.com\/developments\/wp-json\/wp\/v2\/press_releases\/47878","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.legal500.com\/developments\/wp-json\/wp\/v2\/press_releases"}],"about":[{"href":"https:\/\/my.legal500.com\/developments\/wp-json\/wp\/v2\/types\/press_releases"}],"wp:attachment":[{"href":"https:\/\/my.legal500.com\/developments\/wp-json\/wp\/v2\/media?parent=47878"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}