ESAs specify criticality criteria and oversight fees for critical ICT third-party providers under DORA in response to the European Commission’s call for advice 

The European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) today published their joint response to the European Commission’s Call for Advice on two EC delegated acts under the Digital Operational Resilience Act (DORA) specifying further criteria for critical ICT third-party service providers (CTPPs) and determining oversight fees levied on such providers.

In relation to the criticality criteria, the ESAs propose 11 quantitative and qualitative indicators along with the necessary information to build up and interpret such indicators following a two-step approach. The ESAs also put forward minimum relevance thresholds for quantitative indicators, where possible and applicable, to be used as starting points in the assessment process to designate critical third-party providers. This joint response does not include any details of the designation procedure nor of the related methodology as these are out of the scope of this Call for Advice. However, the ESAs plan to define these details no later than six months after the adoption of the delegated act by the Commission.

Regarding the oversight fees, the ESAs make proposals for determining the amount of the fees to be levied on CTPPs and the way in which they are to be paid. The ESAs’ proposals cover the types of estimated expenditures (for both the ESAs and the competent authorities) that shall be covered by oversight fees as well as the basis for the expenditures’ calculation and the available information for determining the applicable turnover of the CTPPs (the basis of fee calculation) and the method of fee calculation together with other practical issues regarding the collection of fees. In addition, the advice proposes a financial contribution for voluntary opt-in requests. The ESAs will specify other practical aspects on the estimation of oversight expenditures and operational aspects in the context of the implementation of the oversight framework.

Legal basis

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 form the legal basis for the ESAs’ response.

Background

In December 2022, the Commission issued to the ESAs a Call for Advice (CfA) in relation to two delegated acts under DORA to 1) specify further criteria for critical ICT third-party service providers and 2) determine the fees levied on such providers.

To inform the responses, the ESAs held a public consultation (May-June 2023). In light of the 41 responses received from various stakeholders, the ESAs have amended the draft advice on the criticality criteria to increase the role of critical or important functions in the assessment and further streamlined the proposed set of indicators. Regarding the oversight fees, the ESAs have, among others, adapted their advice by proposing to define the scope of the applicable turnover on a narrower basis. Overall, market participants expressed support to the proposals related to the other aspects of the advice, while requesting clarifications on some other points.