I N D U S T R Y I N S I G H T
I N D U S T R Y I N S I G H T
Category of Service Provider under DORA
1.‘ ICT Third-Party Service Provider’
2.‘ ICT Third-Party Service Provider Supporting Critical or Important Functions’
3.‘ Critical ICT Third-Party Service Provider’
WSO2 Assessment
While we provide ICT services and are subject to the obligation to adopt contractual commitments of Article 30.1 and 30.2, we do not fall under any of the other two categories of ICT third-party service providers subject to heightened regulatory obligations.
To the best of our knowledge, our services do not qualify as critical or important functions under DORA, as any potential disruption would not significantly impact the financial performance, operational continuity, or regulatory compliance of the financial entities we serve.
We have not been designated as a critical ICT Third-Party Service Provider by supervisory authorities.
Financial services customers can sign a DORA addendum with WSO2 addressing the regulatory requirements.
Although WSO2 on-premises products are not classified as‘ Critical ICT Third-Party Service Providers’ under DORA, we acknowledge our role as a service provider to financial institutions and regulated entities. This means that, although we are not directly subject to heightened regulatory scrutiny, we bear shared accountability in supporting our customers’ DORA compliance obligations.
To align with the expectations of our customers operating in the EU financial sector, WSO2 is committed to the following:
• Ensuring third-party compliance WSO2 leverages several third-party service providers that process customer-related data, including personally identifiable information( PII). As these platforms indirectly handle regulated customer information, WSO2 ensures that its thirdparty vendors implement strong data governance and are DORA-aligned in their operational resilience, contractual obligations and audit readiness.
• Supporting product lifecycle compliance WSO2 maintains a robust product lifecycle management process for its software, encompassing timely delivery of patches, security updates and support services. Our commitment to transparency, availability and service continuity ensures that our customers using WSO2 products can meet DORA’ s expectations for ICT risk management and operational resilience.
• Guidance for DORA-aligned customer deployments To help customers achieve their own compliance goals, WSO2 encourages and supports architecture reviews, deployment best practices and risk assessments aligned with DORA. We work with customers to evaluate the resilience, data handling and operational dependencies of their WSO2-based environments to help them ensure that digital resilience requirements are met at the deployment level.
Through these practices, WSO2 reinforces its commitment to secure, resilient and trustworthy digital infrastructure, thereby enabling our customers to confidently meet the demands of DORA without unnecessary risk exposure. � www. intelligentfin. tech
37