- Question ID
-
2024_7096
- Legal act
- Regulation (EU) No 2022/2554 (DORA)
- Topic
- Oversight framework of CTPPs
- Article
-
31
- Paragraph
-
8
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Not applicable
- Article/Paragraph
-
/
- Type of submitter
-
Credit institution
- Subject matter
-
Exemption for Non-EU ICT Intra-group Service Providers
- Question
-
Is it accurate to interpret that an ICT intra-group service provider established outside the EU (non-EU country), providing critical services to an EU-based financial institution (parent undertaking), falls within the exemption outlined in Article 31(8) of DORA, thereby exempting the need for establishing a subsidiary within the EU?
- Background on the question
-
In accordance with the provision of Article 31(12) of DORA, financial institutions may use the services of ICT providers from third countries that have been designated as critical only if these providers have established a subsidiary in the EU within 12 months of the designation. However, paragraph 8 of the same article provides exceptions, which include ICT intra-group service providers. The third-party provider is part of a financial group with the parent undertaking established in an EU country, while the third-party provider itself is established in a non-EU country. The provider primarily offers services to financial institutions within the same group and in our assessment meets the criteria for an "ICT intra-group service provider" as defined in Article 3(20). The bank is inquiring whether, in this case, the third-party provider is required to establish a subsidiary in the EU.
- Submission date
- Status
-
Question under review
- Answer prepared by
-
Answer prepared by the Joint ESAs Q&A