The European Digital Operational Resilience Act (DORA) impacts banks, investment firms, and their technology partners across the EU. However, a definitive interpretation by the European Supervisory Authorities (ESAs) confirms that public authorities providing ICT services in the exercise of state functions are not considered “ICT third-party service providers.” For expatriates and high-net-worth investors, this means fewer contractual formalities but no less responsibility for managing risks in a complex international environment.
On February 6, 2026, the Joint Committee of the ESAs published a response regarding the interpretation of Recital 63 of the DORA Regulation. This digital framework, effective since January 2025, aims to bolster the financial sector’s resilience against IT risks. The clarification is crucial: public authorities providing ICT-related services for state functions are exempt from the definition of ICT third-party providers (ICT TPPs).
Why Does This Matter for Your Portfolio?
If a financial institution utilizes an ICT TPP, Article 30(2) of DORA mandates detailed contractual arrangements—covering data security, access rights, audits, and termination strategies. However, if the counterparty is a public authority, these stringent contractual obligations do not apply.
“The regulation eases the contractual regime, but it does not diminish the ultimate responsibility for risk.”
Implications for Private Wealth Structures
Consider a typical scenario: an investment platform or a private fund utilizes state-agency software to access official databases or manage public grants. Until now, there was uncertainty whether such an entity fell under the DORA regime as an ICT TPP. The answer is now clear: No, provided it is performing a state function.
At first glance, this appears to be regulatory relief. In practice, however, it creates a specific gap. If you hold investments in a fund dependent on state infrastructure—for example, for the distribution of public support or the management of guarantees—this relationship will not be covered by DORA’s contractual safety standards. The risk of system outages or data access restrictions remains entirely with the financial institution and, indirectly, with you as the investor.
A surprising detail is that “ICT-related services” are not explicitly defined in DORA. The current interpretation is broader than just “ICT services,” potentially including data provision or software tools provided by public administrations. This expands the scope of the exemption more than originally anticipated.
Strategic Recommendations for Investors
-
Map Infrastructure Dependencies: Identify where your investments or holding structures rely on state-run ICT systems (e.g., land registries, settlement systems, or subsidy management). This is a matter of operational reality, not just legal formality.
-
Assess Concentration Risk: If a critical data flow or operational process is tied to a single public system that sits outside DORA’s contractual oversight, an alternative scenario—both technical and liquid—must be in place.
-
Implement Strategic Oversight: As an independent intermediary, Aisa International does not provide technical IT reporting. However, we monitor whether the risk management architecture of your providers is adequate, proportional, and aligned with the regulatory reality of the EU and the Czech Republic.
The “Sovereignty vs. Safety” Paradox
The DORA regulation was originally intended to extend oversight across all technology partners of the financial sector. The interpretation of Recital 63 shows that the State remains outside this regime. While logical from a standpoint of national sovereignty, it is less comfortable from an investor’s perspective.
A critical view is necessary: while the EU tightens requirements for private providers, public systems remain outside the contractual framework. The solution is not resignation, but active dependency management and transparent wealth structuring.

