Definition: DORA defines an ICT Service as digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis (Art. 3(21) DORA).

Requirements: ICT Services provided by ICT third-party service providers to Financial Entities must comply with Art. 30 DORA.

Examples: Annex III of the Commission Implementing Technical Regulation 2024/2956 (the “ITS”) provides examples of ICT Services, focusing on the information needed for the register as per Art. 28(3) DORA.

Clarification: FAQs from the European Supervisory Authorities (ESAs) clarified that a service shall not be considered as an ICT Service if a Financial Entity is authorized to deliver such service. Consequently, any activities which are directly resulting from these authorizations would not constitute ICT Services. However, these FAQs have been partially withdrawn and the European Commission plans to clarify this through a Q&A with the support of the ESAs.

Deutsche Börse AG (”DBAG“) is authorized to operate the Frankfurt Stock Exchange under its exchange license.

However, trading at the Frankfurt Stock Exchange or the Open Market (Freiverkehr) is not provided as an IT platform or software solution service. The aforementioned trading activities are subject to a regulatory authorization requirement, but neither DBAG nor the Frankfurt Stock Exchange do offer trading activities as PaaS, Saas, IaaS solutions enabling third-parties to conduct a market on their own. Neither DBAG nor the Frankfurt Stock Exchange offer services conformant to the ICT Services mentioned in Annex III of Commission Implementing Technical Regulation 2024/2956 with respect to the operation of a trading system. This core function is not to be considered as ICT Service. 

Accordingly, DBAG believes that customers will not be required to amend their existing contractual arrangements in this respect. We refer to the publications of Market Data & Services with respect to the implementation of DORA to the relevant market data products. 

Please note that, as of now, the legal framework comprising the regulatory technical standards for DORA is not fully complete and yet to be finalized. In addition, the EU Commission announced to issue an administrative practice on the interpretation of ICT Services with a potential relevance for other services than the services mentioned above (such as the technical access to trading). DBAG is closely monitoring the further development of the DORA legislation and the associated administrative practice – and is prepared to roll-out respective DORA appendices for contracts in scope, if needed. We, therefore, ask you to wait until the matter has been finally clarified and subsequently acknowledge that we will not be able to sign any individual contracts until then.

For clients of Deutsche Börse AG, your first point of contact should always be client.services@deutsche-boerse.com. As reference, please mention the market, your Member ID, and the Service you are referring too.

The Vendor Access Agreement is addressed to vendors. The services under the Vendor Access Agreement are not made available to financial entities. Therefore, the DORA requirements for ICT third-party service providers do not apply.

Due to high inquiry volumes, we cannot fill out individual questionnaires. Please refer to our website, customer portal, or industry sources like the commercial register or SWIFT Registry. To make this convenient to you, sources incl. download links are made available by email on request.

The RTS on subcontracting is currently only available in a draft version and does not constitute applicable law. According to our information, the draft version is currently being discussed (in particular by various companies and associations) and an exchange is taking place with the EU Commission. For this reason, it has been decided to implement DORA requirements only if they also constitute applicable law.  Deutsche Börse AG will take the necessary measures for implementation as soon as the aforementioned RTS has been adopted and entered into force with binding effect. 

It is one of our main goals to apply the highest security standards to protect our systems and ensure stable market and clearing environments. In order to assist our customers with their due diligence, we have already made a comprehensive catalogue available on request and soon also in our Member Section (under Resources > Compliance > Information Security). In addition, we are planning to make a DORA aligned control report for the year of 2025 available in early 2026

It is one of our main goals to apply the highest security standards to protect our systems and ensure stable market and clearing environments. In order to assist our customers with their due diligence, we have already made a comprehensive catalogue available on request and soon also in our Member Section (under Resources > Compliance > Information Security). In addition, we are planning to make a DORA aligned control report for the year of 2025 available in early 2026.