Regulation (EU) 2022/2554 of the European Parliament and of the Council of December 14, 2022 on operational digital resilience in the financial sector and amending Regulations (EC) No. 1060/2009, (EU) No. 648/2012, (EU) No. 600/2014, (EU) No. 909/2014 and (EU) 2016/1011 (the “Regulation” or “DORA”) provides a comprehensive legal framework for various core elements of operational digital resilience of financial entities.
The Regulation establishes an EU framework for the supervision of Critical third-party providers of ICT services (“CTPPs”). According to Article 31 of the DORA, there are two ways to become a CTPP:
-
-
- designation by the ESAs – EBA (i.e., EBA, ESMA and EIOPA), through the Joint Committee and on the recommendation of the Supervisory Forum,
- the possibility to make a reasoned request to the EBA for designation on its own.
-
As lead supervisory authorities, both EBA, ESMA and EIOPA will have the authority to monitor on a pan-European scale the activities of CTPPs in the context of the ICT services they provide to financial entities.
Accordingly, once an ICT provider is designated as a CTPP, it will be subject to direct financial supervision, which could positively affect the competitive position of that provider and determine the quality of its services.
In the final draft of Delegated Regulation (EU) C(2024) 896 adopted by the European Commission on February 22, 2024, the criteria for the designation of a CTPP were clarified with regard to the following:
-
-
- the systemic impact that a failure or operational outage of an external ICT service provider could have on the financial entities to which such provider provides ICT services;
- the systemic nature or importance of the financial entities, taking into account the number of global systemically important institutions or other systemically important institutions that use the services of the external ICT service provider in question;
- the criticality or materiality of the functions supported by the ICT services provided by the external ICT service provider; and
- the degree of substitutability of the external ICT service provider, taking into account the number of external ICT service providers operating in the relevant market, as well as the costs of migrating ICT data and inputs to other external ICT service providers.
-
Importantly, where an external ICT service provider belongs to a group, the criteria 1. – 4. mentioned above are taken into account in the context of ICT services provided by the group as a whole.
Exemptions from designation as a key ICT service provider
In accordance with the DORA regulation, designation as a key ICT service provider is not subject to:
-
-
- financial entities that provide ICT services to other financial entities;
- external ICT service providers that are subject to the established supervisory framework to support the tasks referred to in Article 127(2) TFEU;
- intra-group ICT service providers;
- external ICT service providers that provide services exclusively in one member state to financial entities that operate only in that state.
-