FAQ
Digital Operational Resilience Act ("DORA")
What is an ICT Service under DORA?
- Definition: DORA defines an ICT Service as digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis (Art. 3(21) DORA).
- Requirements: ICT Services provided by ICT third-party service providers to Financial Entities must comply with Art. 30 DORA.
- Examples: Annex III of the Commission Implementing Technical Regulation 2024/2956 (the “ITS”) provides examples of ICT Services, focusing on the information needed for the register as per Art. 28(3) DORA.
- Clarification: FAQs from the European Supervisory Authorities (ESAs) clarified that a service shall not be considered as an ICT Service if a Financial Entity is authorized to deliver such service. Consequently, any activities which are directly resulting from these authorizations would not constitute ICT Services. However, these FAQs have been partially withdrawn and the European Commission plans to clarify this through a Q&A with the support of the ESAs.
Which ICT services are provided by ECC and how is it intended to proceed with such services?
- European Commodity Clearing AG (“ECC AG”) is authorised to operate as a central counterparty.
- However, clearing is not provided as an IT platform or software solution service. The aforementioned clearing activities are subject to a regulatory authorisation requirement, but ECC does not offer clearing as PaaS, SaaS, IaaS solutions. ECC does not offer services conformant to the ICT Services mentioned in Annex III of Commission Implementing Technical Regulation 2024/2956 with respect to the operation of a clearing system. This core function is not to be considered as ICT Service. Accordingly, the customers will not be required to amend their existing contractual arrangements in this respect.
- Please note that, as of now, the legal framework comprising the regulatory technical standards for DORA is not fully complete and yet to be finalized. In addition, the EU Commission announced to issue an administrative practice on the interpretation of ICT Services with potential relevance for other services than the services mentioned above (such as the technical access to trading). We are closely monitoring the further development of the DORA legislation and the associated administrative practice – and are prepared to roll-out respective DORA appendices for contracts in scope, if needed. We, therefore, ask you to wait until the matter has been finally clarified and subsequently acknowledge that we will not be able to sign any individual contracts until then.
Who should I contact with questions regarding DORA?
You can get in touch via dora@eex.com. As reference, please mention your Member ID, and the Service you are referring to.
Is ECC responding to individual requests to fill in the “Provider Questionnaire”?
Due to high inquiry volumes, we cannot fill out individual questionnaires. Please refer to our website, customer portal, or industry sources like the commercial register or SWIFT Registry. To make this convenient to you, sources incl. download links are made available by email on request.
Will ECC provide information about the subcontractors involved in the provision of ICT services if such services are identified?
The RTS on subcontracting is currently only available in a draft version and does not constitute applicable law. According to our information, the draft version is currently being discussed (in particular by various companies and associations) and an exchange is taking place with the EU Commission. For this reason, it has been decided to implement DORA requirements only if they also constitute applicable law. ECC will take the necessary measures for implementation as soon as the aforementioned RTS has been adopted and entered into force with binding effect.
Is ECC compliant with recognized information security standards?
It is one of our main goals to apply the highest security standards to protect our systems and ensure stable market and clearing environments.
Has ECC established and maintained business continuity plans?
It is one of our main goals to apply the highest security standards to protect our systems and ensure stable market and clearing environments. In addition, we are planning to make a DORA aligned control report 2025 available in early 2026.