DORA Regulation: Are Public Authorities Beyond Oversight?

by | Mar 24, 2026

The European Digital Operational Resilience Act (DORA) impacts banks, investment firms, and their technology partners across the EU. However, a definitive interpretation by the European Supervisory Authorities (ESAs) confirms that public authorities providing ICT services in the exercise of state functions are not considered “ICT third-party service providers.” For expatriates and high-net-worth investors, this means fewer contractual formalities but no less responsibility for managing risks in a complex international environment.

On February 6, 2026, the Joint Committee of the ESAs published a response regarding the interpretation of Recital 63 of the DORA Regulation. This digital framework, effective since January 2025, aims to bolster the financial sector’s resilience against IT risks. The clarification is crucial: public authorities providing ICT-related services for state functions are exempt from the definition of ICT third-party providers (ICT TPPs).

Why Does This Matter for Your Portfolio?

If a financial institution utilizes an ICT TPP, Article 30(2) of DORA mandates detailed contractual arrangements—covering data security, access rights, audits, and termination strategies. However, if the counterparty is a public authority, these stringent contractual obligations do not apply.

“The regulation eases the contractual regime, but it does not diminish the ultimate responsibility for risk.”

Implications for Private Wealth Structures

Consider a typical scenario: an investment platform or a private fund utilizes state-agency software to access official databases or manage public grants. Until now, there was uncertainty whether such an entity fell under the DORA regime as an ICT TPP. The answer is now clear: No, provided it is performing a state function.

At first glance, this appears to be regulatory relief. In practice, however, it creates a specific gap. If you hold investments in a fund dependent on state infrastructure—for example, for the distribution of public support or the management of guarantees—this relationship will not be covered by DORA’s contractual safety standards. The risk of system outages or data access restrictions remains entirely with the financial institution and, indirectly, with you as the investor.

A surprising detail is that “ICT-related services” are not explicitly defined in DORA. The current interpretation is broader than just “ICT services,” potentially including data provision or software tools provided by public administrations. This expands the scope of the exemption more than originally anticipated.

Strategic Recommendations for Investors

  1. Map Infrastructure Dependencies: Identify where your investments or holding structures rely on state-run ICT systems (e.g., land registries, settlement systems, or subsidy management). This is a matter of operational reality, not just legal formality.

  2. Assess Concentration Risk: If a critical data flow or operational process is tied to a single public system that sits outside DORA’s contractual oversight, an alternative scenario—both technical and liquid—must be in place.

  3. Implement Strategic Oversight: As an independent intermediary, Aisa International does not provide technical IT reporting. However, we monitor whether the risk management architecture of your providers is adequate, proportional, and aligned with the regulatory reality of the EU and the Czech Republic.

The “Sovereignty vs. Safety” Paradox

The DORA regulation was originally intended to extend oversight across all technology partners of the financial sector. The interpretation of Recital 63 shows that the State remains outside this regime. While logical from a standpoint of national sovereignty, it is less comfortable from an investor’s perspective.

A critical view is necessary: while the EU tightens requirements for private providers, public systems remain outside the contractual framework. The solution is not resignation, but active dependency management and transparent wealth structuring.

The views expressed in this article are not to be construed as personal advice. Therefore, you should contact a qualified, and ideally, regulated adviser in order to obtain up-to-date personal advice with regard to your own personal circumstances. Consequently, if you do not, then you are acting under your own authority and deemed “execution only”. The author does not accept any liability for people acting without personalised advice, who base a decision on views expressed in this generic article. Importantly, where this article is dated then it is based on legislation as of the date. Legislation changes but articles are rarely updated, although sometimes a new article is written; so, please check for later articles or changes in legislation on official government websites, as this article should not be relied on in isolation.

Vyjádřené názory v tomto článku nelze považovat za osobní poradenství. Vždy se proto obraťte na kvalifikovaného, ideálně regulovaného poradce, který vám poskytne aktuální, osobní doporučení šitá na míru vaší konkrétní situaci. Pokud se rozhodnete jednat bez takového poradenství, činíte tak na vlastní odpovědnost a vaše jednání spadá pod režim „execution only“ (pouhá realizace pokynu bez poradenství). Autor nepřijímá žádnou odpovědnost za rozhodnutí osob, které se spoléhají na názory uvedené v tomto obecném článku bez personalizovaného poradenství. Je důležité si uvědomit, že pokud je článek datován, vychází z právních předpisů platných k uvedenému datu. Právní předpisy se mohou měnit a články jsou aktualizovány jen zřídka. Doporučujeme proto vždy ověřit případné novější články nebo změny legislativy na oficiálních vládních stránkách, protože na tento článek nelze spoléhat izolovaně.

Follow us on Social Media

Post written by:
Autorem článku je:

Monika Škubalová

Monika works in the area of compliance and financial crime prevention, where she specializes in setting internal rules and control mechanisms to protect the company from financial and regulatory risks. She has experience in providing professional advice and implementing processes in accordance with legislation. She actively participates in training the internal team and supports the corporate culture of responsibility and transparency.

Aisa International is the only financial advice service company specialising in advice for expats that is regulated as a Securities Trader in the Czech Republic, USA, and UK.