NOMOX

ESMA_QA_2379

ESMA_QA_2379

Status: ✅ Answer Published

Link to ESMA Q&A tool: https://www.esma.europa.eu/publications-data/questions-answers/2379

Regulatory Context

Regulation : DORA

Level 1 Regulation: Regulation (EU) 2022/2554 - The Digital Operational Resilience Act (DORA)

Level 2 Regulation: No information available

Level 3 Regulation: No information available

Topic: Other DORA topics

Subject Matter: Art. 1 ust. 1 DORA - systems supporting the business processes of financial entities

Question

Submission Date: 17 December 2024

Financial entities select ICT service providers based on risk assessment, taking into account the business continuity plan and a number of national and sectoral regulations regarding cybersecurity. In addition to standard contractual relationships with entrepreneurs, there are also solutions that financial entities use: a) on the basis of a license, e.g. open source. The license provisions are not negotiated, and the service is not individually parameterized for the investment company. The investment company has no influence on the shape of the service and the license provisions. The licenses contain provisions regarding automatic update of the tool, but do not contain provisions regarding, e.g. support or SLA, e.g. Adobe Acrobat Reader; b) web applications, e.g. Lex/Legalis systems (review of legal acts), which employees access via a browser, the agreement does not involve installing the application on the employee’s computer, but only providing a specified number of licenses for use by the company, or a web system for registering correspondence in the case of ordering a courier; c) providers of employee benefits, e.g. medical care. They are not directly related to the company’s business, employees use the application on private devices and log in with a private email address, while registration is necessary for the medical company to create an account for the employee;

Is it possible to apply the principle of proportionality, provided for in the DORA regulations, which will allow for proper identification of risks and the application of proportionate mitigants in the case of the above-mentioned services? In the opinion of the financial entity, the application of all the obligations indicated in the DORA regulations, in particular those concerning contractual provisions and reporting obligations, is disproportionate to the risk generated by the above solutions. The financial entity does not deny the need for each case of evaluation of the solution and review of its correct functioning, the number of entities in relation to which these obligations would have to be performed may affect the quality of the duties performed.

Are the services supporting a critical or important function all the services used as part of performing this function, including those that are quickly and relatively cheaply replaceable (e.g. Adobe Acrobat Reader, 7ZIP, e-mail encryption program)?

ESMA Answer

Answer Date: 17-12-2024

The answer to question part 1 can be found in the regulatory texts. The 2nd part has already been answered or is in the process of being answered: DORA006

This document was automatically extracted from the ESMA EMIR Q&A database.