New EU rules on operational resilience will bring providers of critical ICT services under the supervision of financial authorities. Unsurprisingly then, tech businesses that serve the EU financial industry are interested in whether and how they might be designated as providing “critical” services. A new paper opens a debate about the designation criteria, but you only have a couple of weeks to provide your feedback.
The European Supervisory Authorities – ESMA, EBA and EIOPA – have published a discussion paper seeking input from market participants on two aspects of the Digital Operational Resilience Act, affectionately known as DORA: (1) the critical ICT third-party service provider designation criteria, and (2) oversight fees for CTPPs.
The paper sets out proposals covering the designation criteria to be considered by the European Supervisory Authorities when assessing the critical nature of ICT TPPs. In particular, they propose having in place an indicator-based assessment to determine criticality. Providers that are deemed CTPPs will then be subject to the oversight framework under DORA.
The paper envisages an initial two-step process. In summary:
- Step 1 – ICT TPPs will be assessed against quantitative criticality indicators and minimum relevance thresholds.
- Step 2 – ICT TPPs that exceed a certain number of minimum relevance thresholds from step 1 may be assessed against an additional set of criticality indicators.
Proposed indicators for the assessment include the potential concentration risks, the importance of the financial entities and activities being serviced, and the degree of substitutability. Sitting behind these indicators are minimum relevance thresholds, as further described in the paper.
Following step 1 and 2, and an additional “holistic / collective assessment”, a proposed list of CTPPs will be drawn up. The list of essential / important entities under NIS2 and CER may be used to inform the designation process.
The discussion paper also includes proposals in relation to the amount of the fees levied on CTPPs and the way in which they are to be paid. In particular, the paper explores the types of expenditure that should be covered by fees as well as the appropriate method, basis and information for determining the applicable turnover of the CTPPs (which will form the basis of fee calculation). The European Supervisory Authorities are also seeking input on the fee calculation method and other practical issues regarding the payment of fees.
In summary, the initial plan involves determining applicable turnover based on certified audited accounts of the year (n-2) and overall revenues generated by all services provided by the CTPP. That said, the European Supervisory Authorities are open to suggestions on alternative approaches and are interested in whether CTPPs could feasibly provide audited revenues generated by the provision of services to European clients / financial sector clients subject to DORA.
The discussion paper closes for comments on 23 June 2023. The feedback collected from the discussion paper will inform the technical advice that the European Supervisory Authorities has to deliver to the Commission by 30 September 2023.