DORA, the EU’s regime for operational resilience, imposes obligations on technology firms providing critical services to the financial services sector. The European Supervisory Authorities (ESAs) have suggested criteria for determining which providers should be designated as “critical”.
The latest technical advice from the ESAs follows their May 2023 discussion paper and their more recent high level analysis on how financial services firms rely on ICT third party service providers.
Criteria for criticality
The ESAs propose a number of relevant quantitative and qualitative indicators for each of the criticality criteria set in DORA. The ESAs envisage a two-step process for a criticality assessment.
- The first step involves testing six quantitative criticality indicators. At this stage, the ESAs will look at measures such as whether the provider provides ICT services enabling the critical and important functions of 10% or more of financial entities in the EU. The six quantitative criticality indicators will be assessed on a “holistic” basis.
- Providers who exceed a certain number of the six quantitative criticality thresholds are then subject to further assessment in step two.
- The second step involves further assessment based on five additional indicators. At this stage, the ESAs will look at measures such as whether the provider provides ICT services for which the impact of discontinuation would be assessed as “high” on the activities and operations of financial entities. The second step of assessment is also done holistically.
- The outcome of the application of the step one and step two indicators will be a proposed list of critical third party providers (CTPPs) to an Oversight Forum. The forum makes recommendations to the ESAs Joint Committee which ultimately designates CTPPs.
The ESAs note that the assessment of the proposed indicators is subject to the availability of data. In the case of inadequate, insufficient, timely unavailable or incomplete data and as also recommended during the public consultation, the ESAs propose, to the extent possible, to rely on existing available data or seek industry input, and to apply expert judgement in order to meet their obligation.
These indicators are minimum relevant thresholds for the assessment of criticality. However, meeting these thresholds will not necessarily trigger determination as a CTPP. The ESAs have not yet finalised their methodology for determining CTPPs.
Oversight fees
The ESAs propose calculating the percentage of oversight fees paid by each CTPP by taking the applicable turnover of the respective CTPP and dividing it by the applicable turnover of all CTPPs. To ensure that all CTPPs pay a relevant annual fee, such a calculation will be complemented by a minimum fixed oversight fee, which would be paid if the fee resulting from the calculation is smaller than such threshold. The ESAs propose such a minimum fee to be fixed at €50,000.
The ESAs suggest calculating the applicable turnover of the CTPPs on the basis of the worldwide revenues of the ICT services provided to all their clients and adjusted to reflect their criticality in the EU.