• Home
  • Legal Updates & Insights
  • DORA: Key observations regarding the designation of international ICT third party service providers as critical

DORA: Key observations regarding the designation of international ICT third party service providers as critical

Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA) which will apply from 17 January 2025 is intended to create a harmonised regulatory framework that enhances the digital operational resilience of in-scope EU financial entities in respect of ICT related disruptions and threats.

Although DORA’s main focus is on EU financial entities, it also contains a new EU-wide oversight framework for non-FS regulated ICT third party service providers that are designated as critical. The European Supervisory Authorities (ESAs) now have the power to designate ICT third party service providers against four criteria set out in Article 31(2) of DORA.

The European Commission (Commission) is empowered, under Article 31(6) of DORA, to adopt a delegated act which will effectively provide further clarity on the criteria which will lead to a critical designation. The Commission recently published a draft delegated regulation for this purpose (Draft Delegated Regulation). The Draft Delegated Regulation which is still subject to a four-week public consultation must be finalised and adopted by the Commission by 17 July 2024.

The Commission also published a second draft delegated regulation for the purposes determining the amount of oversight fees to be charged to critical ICT third party service providers in accordance with Article 43 of DORA. The details of that draft delegated regulation are not discussed in this article.

What ICT third party service providers will be designated as critical?

The four criteria that the ESAs must use to assess the criticality of an ICT third party provider are very broad in nature. They include, in broad terms:

  • the systemic impact on the provision of financial services
  • the importance of the EU financial entity relying on the ICT third party service provider
  • criticality or importance of the functions supported by the ICT services provided, and
  • the degree of substitutability of the ICT third party service provider.

Following the Technical Advice issued by the ESAs in September 2023 (see our previous Insight), the Draft Delegated Regulation further supplements these high level primary criteria by specifying a two-step assessment approach, formulas and thresholds to be used by the ESAs when applying sub-criteria. Under the two-step assessment approach, the ESAs must use the first quantitative step to filter the population of ICT third party service providers, followed by the second qualitative step, which allows for further in-depth analysis, as follows:

  • Step 1: ICT third party service providers will be assessed against quantitative sub-criteria, alongside respective minimum relevance thresholds. If all the sub-criteria under step 1 are fulfilled, the ESAs will then consider the qualitative sub-criteria under step 2. As such, the outcome of step 1 will indicate the ICT third party service providers which would proceed to further assessment under step 2.
  • Step 2: ICT third party service providers that are identified following step 1 undergo a further assessment based on five qualitative sub-criteria. This allows for a more granular assessment of the ICT third party service providers that are potentially considered as critical according to step 1. As the step 2 sub-criteria are qualitative in nature, they do not come with minimum relevance thresholds.

Following completion of the two-step assessment, the ESAs will decide whether or not to designate an ICT third-party service provider as critical for financial entities.

Due to the broad nature of the primary criteria and the ESAs’ scope for discretion provided for under the two-step assessment approach, it will be difficult to predict with certainty whether any given ICT third party service provider is likely to be designated as critical or not.

However, recent comments by José Manuel Campa, Chair of the EBA, indicate the type of ICT service providers that may fall within the third party oversight framework under DORA, stating that “the type of ICT services that mainly support the critical and important functions of the EU financial sector are (i) network infrastructure services and (ii) data centre services.” Campa also noted that DORA covers a wide range of ICT third party service providers “including providers of cloud computing services, software, data analytics services and providers of data centre services”.

Can an internationally based ICT third party service provider be designated as critical?

Many EU financial entities rely on a small number of large international businesses for the provision of ICT services. One of the primary purposes of the oversight framework for critical ICT third party service providers is to limit the systemic and concentration risk caused by many financial entities relying on a small number of critical ICT third party service providers.

Two important points arise in respect of international ICT third party service providers:

  • where an ICT third-party service provider belongs to a group, the criticality assessment criteria must be considered in relation to the ICT services provided by the group as a whole (i.e., including the parent undertaking and all of its subsidiaries irrespective of location) (Article 31(3) of DORA)
  • EU financial entities can only make use of the services of an ICT third party service provider established in a third (i.e., non-EU) country, and which has been designated as critical, provided that the ICT service provider has established a subsidiary in the EU within 12 months of its designation (Article 31(12) of DORA)

This means that:

  • an ICT third party service provider established in a third country that is providing ICT services to an in-scope financial entity in the EU can be designated by the ESAs as critical for that financial entity
  • where an ICT third party service provider that is established in a third country is designated as critical for a financial entity, that service provider must establish a subsidiary in the EU within 12 months of its designation in order to continue to provide ICT services to the financial entity
  • an ICT third party service provider that is currently established in the EU cannot avoid being designated as critical by moving its establishment outside of the EU

What will oversight by the Lead Overseer look like?

As noted above, DORA will implement an oversight framework for critical ICT third party service providers. Once an ICT third party service provider is designated as critical, one of the ESAs will be appointed as its ‘Lead Overseer’ and will be responsible for its oversight.

When conducting oversight activities, in particular general investigations and inspections, the Lead Overseer will be assisted by a joint examination team (JET) established for each critical ICT third-party service provider. The JET will be composed of staff members from the ESAs and relevant national competent authorities (including the Central Bank of Ireland) who have expertise in ICT matters and in operational risk. The JET will work under the coordination of a designated Lead Overseer staff member.

It is important to note that the Lead Overseer’s role is one of oversight (not supervision). Gerry Cross, Chair of the ESAs’ Joint Sub-Committee on DORA Implementation and Director of Financial Regulation, Policy and Risk at the Central Bank of Ireland, stated during a speech in March this year that critical ICT third party service providers “are subject not to regulation or to formal supervision but to oversight”. He further stated that while the oversight of ICT third party service providers “reflects the enormously important role that such participants have come to play in the functioning of the financial system” they “do not fall directly within the regulatory framework”.

Notwithstanding this, however, there will be significant change for major ICT service providers that are designated as critical and, as a result, fall within DORA’s oversight framework. For example, the Lead Overseer will:

  • conduct an assessment to establish if the ICT third party service provider has in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risks which it may pose to EU financial entities, including, but not limited to:
    • an assessment of risk management processes, ICT risk management policies, ICT business continuity policy and ICT response and recovery plans
    • an assessment of governance arrangements, including an organisational structure with clear, transparent and consistent lines of responsibility and accountability
    • testing of ICT systems, infrastructure and controls
    • ICT audits
    • assessment of the physical security contributing to ensuring ICT security, including the security of premises, facilities and data centres
  • based on the assessment referred to above, adopt a detailed and individualised oversight plan describing the annual oversight objectives and the main oversight actions planned
  • have extensive rights to access information and documentation necessary for the Lead Overseer to carry out its duties under DORA
  • be able to conduct investigations into critical ICT third-party service provider
  • be able to conduct on-site inspections, including access to relevant ICT systems, networks, devices, records and information that are located in any business premises, land or property of the ICT third-party service provider, such as head offices, operation centres and secondary premises
  • have powers to issue recommendations (Recommendations), and to request reports specifying the actions that have been taken, or the remedies that have been implemented, by the critical ICT third-party service providers in relation to Recommendations

In the event of failure to comply with the information and documentation requests, measures required to conduct investigations and inspections and reporting of remedial actions taken by the critical ICT third-party service provider in response to Recommendations, the Lead Overseer can adopt a decision imposing a periodic penalty payment to compel the critical ICT third-party service provider to comply with these measures. The periodic penalty payment will be imposed on a daily basis until compliance is achieved and for no more than a period of six months following the notification of the decision to impose a periodic penalty payment. The amount of the periodic penalty payment will be up to 1% of the average daily worldwide turnover of the critical ICT third-party service provider in the preceding business year. When determining the amount of the penalty payment, the Lead Overseer can take into account the gravity and duration of non-compliance, whether non-compliance has been committed intentionally or negligently and the level of cooperation of the ICT third-party service provider with the Lead Overseer.

As a last resort, competent authorities may take a decision requiring financial entities to temporarily suspend, either in part or completely, the use or deployment of a service provided by a critical ICT third-party service provider until the risks identified in Recommendations addressed to critical ICT third-party service providers have been addressed. Furthermore, where necessary, competent authorities may require financial entities to terminate, in part or completely, contractual arrangements with the critical ICT third-party service provider.

The Lead Overseer will also be able to use some of its powers outside of the EU. When oversight objectives cannot be attained by means of interacting with the subsidiary set up for the purpose of Article 31(12) of DORA, or by exercising oversight activities on premises located in the EU, the Lead Overseer may exercise certain powers on any premises located in a third-country which is owned, or used in any way, for the purposes of providing services to in-scope financial entities in the EU, by a critical ICT third-party service provider in connection with its business.

This part of the DORA regime is different from any financial services regulatory regime seen before in the EU, especially as the relevant critical ICT third-party service providers by definition are not currently subject to financial regulatory supervision. The process of establishing which ICT third-party service providers are critical has begun and those who expect to be caught will be identifying the additional EU compliance burden’s impact on their businesses.

Key contacts

Further in-depth publications relating to DORA can be found on our ALG DORA webpage, including our publication ‘A closer look at the EU’s DORA’ .

For further information in relation to this topic, please contact Patrick Brandt, Partner, Caoimhe Crowley, Solicitor, Sarah Lee, Senior Knowledge Lawyer or any member of ALG's Financial Regulation Advisory team.

Date published: 23 January 2024