ESAs advise on criticality criteria and oversight fees for critical ICT third party providers under DORA
On 29 September 2023, the European Supervisory Authorities (EBA, EIOPA and ESMA) (ESAs) published their joint response to the European Commission’s Call for Advice on two delegated acts that the Commission is empowered to adopt under Articles 31 and 43 of Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA) in order to specify further criteria for critical ICT third party service providers (CTPPs) and determine oversight fees levied on such providers. The delegated acts must be adopted by the Commission by 17 July 2024.
The European Commission issued the Call for Advice to the ESAs on 21 December 2022, following which the ESAs held a consultation from May to June 2023 to inform their advice. The ESAs received 41 responses to the consultation discussion paper, and the Joint Technical Advice further clarifies the proposals that had been set out in the discussion paper. For example, the ESAs have emphasised the holistic nature of the criticality assessment, increased the role of critical or important functions in the assessment and further streamlined the proposed set of criticality indicators. Regarding the oversight fees, the ESAs have partially adapted their draft advice by proposing to define the scope of the applicable turnover on a narrower basis.
Joint advice on criticality criteria
Financial entities (FEs) are subject to specific requirements under DORA in respect of ICT third party service providers (TPPs) that are designated as critical for FEs.
The ESAs are required to designate the ICT TPPs that are critical following an assessment that must take into account the four criteria that are specified in Article 31(2) of DORA, which include, in summary, impact on provision of financial services, importance of FEs, critical or important functions and degree of substitutability.
The European Commission is empowered under Article 31(6) to adopt a delegated act to further specify the criticality criteria referred to in Article 31(2) of DORA. The Commission invited the ESAs to advise on the criticality criteria. In particular, the Commission requested sets of indicators of a qualitative and quantitative nature for each of the four criteria set out in Article 31(2), to be accompanied by minimum thresholds.
Taking into account the criteria set out in Article 31(2), the ESAs’ advice proposes that the criticality assessment encompasses the following two-step indicator-based approach using quantitative and qualitative indicators (see also the diagram below):
Step 1: The ESAs propose that ICT TPPs be assessed against six quantitative indicators, alongside respective minimum relevance thresholds. The minimum relevance thresholds should not be understood as triggers of criticality but a minimum requirement above which the criticality assessment could be carried out. For example, ICT TPPs that exceed a certain number of minimum relevance thresholds across the six indicators could be subject to a further assessment (step 2). As such, the outcome of step 1 will indicate the ICT TPPs which would proceed to further assessment under step 2. The ESAs emphasis that the quantitative indicators must be considered holistically, taking into account multiple criticality factors or dimensions rather than focusing on individual criticality components in isolation.
Step 2: The ESAs propose that the ICT TPPs which are identified following step 1 undergo a further assessment based on five qualitative indicators. The step 2 indicators should be seen as complementary to the step 1 indicators, allowing for a more granular assessment of the ICT TPPs that could potentially be considered as critical according to step 1. As the step 2 indicators are qualitative in nature, they do not come with minimum relevance thresholds.
The outcome of the assessment of the step 1 and step 2 indicators will be a proposed list of CTPPs to the Oversight Forum, which provides a recommendation to the ESAs’ Joint Committee.
| Step 1: Test six quantitative criticality indicators and apply relevant minimum thresholds | |||||
|---|---|---|---|---|---|
| ICT TPP provides ICT services to 10% or more of FEs (based on number of FEs) which support C&I functions | ICT TPP provides ICT services to 10% or more of FEs (based on total assets of FEs) which support C&I functions | ICT TPP provides ICT services which support C&I functions to at least one globally systemically important institution (G-SII) or at least three other systemically important institutions (O-SIIs) or at least one O-SII with an O-SII score above 3,000 | ICT TPP provides ICT services which support C&I functions to at least one financial market infrastructure (FMI) identified as systemic by competent authorities (CAs) or at least three FEs (other than credit institutions and FMI) identified as systemic by CAs | No alternative ICT TPP has been identified by 10% or more of the FEs (based on number of FEs or total assets) for ICT services supporting C&I functions | Highly complex / difficult to migrate or reintegrate ICT services from the ICT TPP as identified by 10% or more of the FEs (based on number of FEs or total assets) when these support C&I functions |
| Holistic assessment – TPPs exceeding a certain number of thresholds would be subject to further assessment (step 2) | |||||
|
Step 2: Further assessment based on five qualitative indicators |
||||
|---|---|---|---|---|
| ICT TPP provides ICT services for which the impact of discontinuation would be assessed as ‘high’ on the activities and operations of FEs | Number of CTPPs using the same sub-contractors for providing ICT services to FEs supporting C&I functions (available after first concrete experiences with designated CTPPs) | Interdependence between G-SIIs or O-SIIs and other FEs using ICT services provided by the same ICT TPP | Level of inherent criticality of ICT services provided to FEs by the ICT TPP | Market share of ICT TPPs (based on number of FEs and, if available, annual expenses / estimated costs / budget of contractual arrangements) |
| Further holistic assessment | ||||
Propose list of CRPPs to the oversight forum
The data to assess the quantitative and qualitative indicators will be sourced mainly by the registers of information maintained by FEs under the scope of DORA as well as existing available data from the ESAs and the competent authorities.
The details on the collective application of steps 1 and 2 are out of scope of the Joint ESAs’ technical advice. However, the ESAs consider it appropriate to develop a methodology in this regard. The ESAs indicated that finalisation of the methodology should follow no later than six months after the adoption of the related delegated act by the Commission and in the context of the implementation of the oversight framework.
Joint advice on oversight fees
Pursuant to Article 43 of the DORA, a Lead Overseer must charge fees to CTPPs designated as critical that cover the necessary expenditure incurred by the Lead Overseer in relation to oversight. A Lead Overseer is the ESA that is appointed as responsible for the oversight of the assigned CTPP and is the primary point of contact for those CTPPs for matters related to oversight.
The types of expenditure and costs that must be covered by the fees charged by the Lead Overseers are specified in Article 43:
- the necessary expenditure incurred by the Lead Overseers in relation to the conduct of oversight tasks, including the reimbursement of any costs which may be incurred as a result of work carried out by the Joint Examination Team and the costs of advice provided by any independent experts appointed by the Oversight Forum; and
- costs derived from the execution of the Lead Overseer’s duties, which should be proportionate to the CTPPs turnover.
In order to further specify the requirements in Article 43, the Commission is empowered to adopt a delegated act setting out the details for determining the amount of fees and the way in which the fees are to be paid by CTPPs. To assist the Commission with formulating the delegated act, the Commission invited the ESAs to make proposals for determining the amount of the oversight fees and the way in which they are to be paid.
The proposals in the ESAs’ Joint Advice discuss (in detail):
- the types of estimated expenditure (for both the ESAs and the competent authorities) to be covered by oversight fees
- the basis for calculating the expenditure
- the appropriate method, basis and available information for determining the applicable turnover of the CTPPs (which will form the basis of fee calculation)
- the overall method for calculating the oversight fees
- other practical issues regarding the payment of fees by CTPPs
- a proposed financial contribution for voluntary opt-in requests is included in the report
The ESAs will specify other practical aspects regarding the estimation of oversight expenditures and operational aspects in the context of the implementation of the oversight framework.
Next steps
As noted above, both delegated acts must be adopted by the Commission by 17 July 2024.
Until then, the ESAs remain at the disposal of the European Commission, including for the provision of further information that could support it in preparing the delegated acts that the ESAs’ technical advice relates to.
For more information on this topic please contact Patrick Brandt, Partner, Caoimhe Crowley, Solicitor and Sarah Lee, Senior Knowledge Lawyer any member of A&L Goodbody's Financial Regulation Advisory team.
Date published: 17 October 2023