The Digital Operational Resilience Act (DORA), effective from January 17, 2025, aims to enhance the technology security and resilience of EU financial services. It applies to all financial market participants, including Euroclear. DORA focuses on Information and Communication Technology (ICT) risk management, incident management, operational resilience testing, third-party risk management, and information sharing on cyber threats. It aims to ensure that financial entities have better control of ICT risks and are more resilient to cyber threats and ICT disruptions.
DORA responds to the need to provide harmonised rules supporting the digital operational resilience of financial entities and the financial system, including a new framework for the oversight of those ICT third party providers which are critical to the European financial system.
Euroclear is committed to meeting DORA standards and has defined strategic ambitions and priorities for enhanced operational resilience, conducted self-assessments and implemented a bespoke governance programme.
The European Commission provided further clarification on what types of services should be considered ICT services, based on the definition in Article 3(21) DORA and although several services provided by Euroclear to its clients could be holistically qualified as ICT services within the meaning of DORA, the fact that they are so strictly related to the provision of regulated financial services makes such services excluded from the qualification as ICT services within the meaning of DORA Article 3(21). Indeed, Euroclear does not provide non-regulated ICT services to other financial entities and current contractual arrangements with its clients remain unaffected. Euroclear CSDs services are strictly regulated under CSDR. Our assessment is fully in line with the clarifications shared by the EU that our products and services including core services, non-banking-type ancillary services and banking-type ancillary services, are not considered ICT services under DORA.
