Legacy ICT system

by Swapnil Wale

Legacy ICT system’ means an ICT system that has reached the end of its lifecycle (end-of-life), that is not suitable for upgrades or fixes, for technological or commercial reasons, or is no longer supported by its supplier or by an ICT third-party service provider, but that is still in use and supports the functions of the financial entity;

Interpretation of the offical DORA Definition: 

The term "Legacy ICT system" as defined in EU Regulation 2022/2554 refers to information and communication technology systems that have reached the end of their useful life, known as end-of-life (EOL). Here's a breakdown of what constitutes a legacy ICT system according to this definition:

  1. End of Lifecycle (End-of-Life): This refers to ICT systems that have reached a stage in their lifecycle where they are no longer effective or suitable for the intended purpose. This could be due to aging hardware, software that no longer receives updates, or systems that are technically obsolete.

  2. Not Suitable for Upgrades or Fixes: Legacy systems are often not compatible with new software updates or hardware upgrades. This could be because newer technologies are not backward compatible or because the cost and complexity of upgrading would be prohibitive.

  3. Unsupported by Supplier or ICT Third-Party Service Provider: Often, legacy systems are no longer supported by the original supplier or any third-party ICT service providers. This means that there are no new updates, bug fixes, or support services available, which can pose significant security and operational risks.

  4. Still in Use and Supports Functions of the Financial Entity: Despite these limitations, these systems are still in operation and perform critical functions within the financial entity. This might be due to the specific needs that the system serves, the high costs associated with replacing the system, or the complexity involved in migrating to a new system.

Essentially, a legacy ICT system is outdated technology that continues to be used beyond its intended period of effectiveness, often because transitioning away from it poses its own set of challenges. These systems can create significant risks, especially in the financial sector, where security and efficiency are paramount. The continued use of such systems must be managed carefully to mitigate potential vulnerabilities and ensure ongoing compliance with regulatory standards.