Search QAs

If a contract that is included in the ROI as at 31-Mar-2025 is terminated between 1-Apr-2025 and 31-Dec-2025, should it be included in the ROI reported as at 31-Dec-2025 with a reason (B_02.02.0090) filled in? If yes, should the contract be included in the ROI report as at 31-Dec-2026?

Art. 12 III DORA: When restoring backup data using own systems, financial entities shall use ICT systems that are physically and logically segregated from the source ICT system. What does DORA mean by "recovering backed-up data using own systems"? What does "own systems" mean? What is the source ICT system? The productive system whose data is backed-up or the system where the backed-up data is stored?

I would appreciate a clear answer regarding how financial entities should handle situations involving reselling. According to point 107 of the Q&A: "If the reseller is not providing the ICT service on an ongoing basis, it should not be considered an ICT TPP." Given this statement, how should we …

For the identification of insurance and reinsurance undertakings the RTS on TLPT specifies quantitative criteria in Article 2(2)(g) that must be met in a cumulative way. Additionally, in the last subparagraph of Article 2(2) of the RTS on TLPT further quantitative criteria are given. In order to fos…

Since there many requirements directed at ICT systems but there is no definition id like to know if ICT-Systems are definable by the following: An ICT system is a collection of multiple different productive ICT Assets (e.g., a database, a virtual server and the installed software artifact on it) tha…

Article 18 refers to "Member States" in regard to geographical spread. However, this implies that the article does not include EEA members, i.e., incidents that spread to EEA and non-EU members (Iceland, Liechtenstein, Norway) are not to be considered in the classification of major ICT-related incid…

Scope and Territorial Applicability of DORA Does DORA apply exclusively to entities operating within the EU? Consider the following examples for clarification: Example 1: An organization headquartered in an EU Member State, such as Spain, operates branches in non-EU countries (e.g., New Zealand, Jap…

We are an elearning platform provider. We work with an important bank in France. Is Dora applicable for our company (provider of soft skills elearning content to bank sector employees) ? 

Software is bought as it is from an external provider. The contract specifies no further development, maintenance or support. However, the service provider publishes updates, which can optionally be downloaded by users. Would this constellation represent a DORA ICT-service?