The answer to this question is provided by the European Commission.

The definition of ‘ICT services’ in Article 3(21) of Regulation (EU) 2022/2554 intentionally maintains a broad scope. Recital (35) of Regulation (EU) 2022/2554 indeed clarifies that, with the aim of maintaining a high level of digital operational resilience, the definition of ICT services should be understood in a broad manner to the extent that such services encompass digital and data services provided through ICT systems on an ongoing basis. Therefore, financial entities are responsible for undertaking an assessment on this basis to determine whether the services they rely on are ICT services, as defined under Article 3(21) DORA. Such assessment should be performed taking into account the clarifications from DORA Recital (63), which specifies that DORA should cover a wide range of ICT third-party service providers, including financial entities providing ICT services to other financial entities, and without prejudice to sectoral regulations applicable on regulated financial services.

Financial services may entail an ICT component. In the case that financial entities provide ICT services to other financial entities in connection to their financial services, the receiving financial entities should assess whether i) the services constitute an ICT service under DORA, and ii) whether the providing financial entities and the financial services they provide are regulated under Union law or any national legislation of a Member State or of a third country. In case both tests are positive, then the related ICT service should be considered to predominantly be a financial service and should not be treated as an ICT service within the meaning of DORA Article 3(21).

In case the service is provided by a regulated financial entity providing regulated financial services but is unrelated or is independent from such regulated financial services, the service should be considered as an ICT service under Article 3(21) DORA. 

The same rationale applies to ancillary services provided by an entity, depending on whether such ancillary services are regulated financial services or a service inseparable from, indivisible from, preparatory or necessary for the provision of a regulated financial service, and are not provided in a standalone manner. 

The clarification about the difference between financial services and ICT services is without prejudice to the requirements applicable to financial entities under DORA, other than the requirements related to ICT third-party risk management.

Disclaimer provided by the European Commission:

The answers clarify provisions already contained in the applicable legislation. They do not extend in any way the rights and obligations deriving from such legislation nor do they introduce any additional requirements for the concerned operators and competent authorities. The answers are merely intended to assist natural or legal persons, including competent authorities and Union institutions and bodies in clarifying the application or implementation of the relevant legal provisions. Only the Court of Justice of the European Union is competent to authoritatively interpret Union law. The views expressed in the internal Commission Decision cannot prejudge the position that the European Commission might take before the Union and national courts.