Does the Use of Aspose Fall Outside DORA’s ICT Third-Party Service Scope?
Introduction
Under the Digital Operational Resilience Act (DORA), regulated financial entities must identify and classify which external software and technology relationships qualify as ICT third-party services, particularly when those services support Critical or Important Functions (CIFs).
Based on Aspose’s analysis of the DORA framework, our products will typically fall outside the scope of an ICT third-party service when they are used in a traditional software licensing model.
1. Characteristics of Pure Software Licensing
In general, pure software licensing relationships have the following characteristics:
- Perpetual or term-based right to use software
- Software delivered for installation within the customer’s own infrastructure
- No vendor access to customer systems
- No vendor-operated hosting infrastructure
- No vendor-managed infrastructure
- No vendor processing of customer data
- No ongoing operational involvement by the vendor
- Optional and limited support services
- No availability or uptime SLAs provided by the vendor for the software or related support services
When these characteristics are present, a vendor is typically providing licensed software (intellectual property) rather than an ongoing ICT service.
2. Example of a Pure Licensing Relationship
An example of a pure licensing relationship is when a financial entity purchases a perpetual license for document processing software, installs it within its own infrastructure, and operates it independently.
In this scenario, the vendor provides:
- A license key
- A downloadable software package
The vendor does not provide:
- Hosting infrastructure
- Remote management access
- Telemetry or remote monitoring
- Managed or operational services
The financial entity installs, operates, and controls the software entirely within its own infrastructure.
3. How This Applies to Aspose and You?
Aspose products are typically delivered under a pure software licensing model. Customers install and run the software within their infrastructure, and Aspose does not operate, host, or manage the systems where the software is deployed.
In these circumstances, Aspose provides licensed software, not an ongoing ICT third-party service as described by DORA.
For organizations performing formal compliance assessments, we have prepared a litigation-style memorandum that explains this classification in more detail and references relevant sections of the DORA regulatory framework.
If you would like to review this analysis, you may download the PDF and share it with your legal or compliance counsel.