The European Commission has opened a four-week consultation on two draft delegated acts under the EU’s Digital Operational Resilience Act (DORA). One draft act specifies criteria for the designation of ICT third party service providers as “critical” for financial entities. The other determines the amount of fees these critical ICT third party service providers would need to pay. Feedback on both texts is invited by 14 December 2023.
DORA requires EU financial entities to, for example, improve their ICT risk management processes, conduct testing of ICT systems and report ICT incidents. In addition, DORA sets up an oversight framework for providers of ICT services that are deemed to be “critical” to financial entities. The aim is to address concentration risk caused by many firms relying on a small number of critical third party providers.
DORA tasks the European Supervisory Authorities with designating which ICT third party service providers are “critical” and specifies some high level criteria for the ESAs to follow when doing so. DORA also invites the Commission to adopt a delegated act to specify further criticality criteria.
One of the ESAs will be appointed as Lead Overseer for each critical third party provider. This Lead Overseer will, for example, assess whether the critical third party provider has effective arrangements to manage the ICT risk which it poses to financial entities. To cover their Lead Overseer’s costs, critical third party providers will be charged oversight fees and DORA empowers the Commission to determine how – and how much – they will need to pay.
To help the development of these delegated acts, the ESAs submitted technical advice to the Commission in September 2023.
In line with the ESAs’ advice, the Commission proposes a two-step process for determining which ICT third party service providers should be deemed critical. According to the Commission, the ESAs should use the first quantitative step to filter the population of ICT service providers. The second qualitative step allows for further in-depth analysis.
Under step 1 the ESAs have to assess whether the ICT third party service provider meets several sub-criteria. For example, one sub-criterion requires the ESAs to assess the number of financial entities serviced by the ICT third party service provider. If this is at least 10% of the total number of that category of financial entities under DORA then this sub-criterion will be fulfilled. Referring to the categories of financial entities could end up with some odd results given that the population of “investment firms” under MiFID is much larger than, say, the number of EU central counterparties.
All the sub-criteria under step 1 relate to ICT services which support financial entities’ critical or important functions. In other words, if financial entities only use ICT services to support non-important functions, the provider of those services cannot be designated as “critical”. The outcome at step 1 therefore depends in part on how financial entities judge the importance of their functions.
If all the criteria under step 1 are fulfilled, the ESAs then consider five further qualitative criteria. For example, the ESAs will assess the intensity of the impact if the ICT services were no longer available. They will also consider the “critical nature” of the ICT services.
The outcome is a pseudo-scientific approach to designation. It provides the ESAs with a structure to work through – including some maths homework under step 1 – but also allows the ESAs scope for discretion at step 2. It also means that the process for anticipating designation remains opaque. Without knowing the relevant denominator figures under step 1, or being able to second guess the ESAs’ assessment at step 2, it will be difficult to predict whether any given provider of ICT services is likely to be designated as “critical”.
In their first year of designation, critical third party providers must pay a one-off fee of €500,000. Thereafter, the Commission proposes asking critical third party providers to pay annual fees proportionate to their turnover. Generally this should relate to turnover generated by the provider in the EU from the provision of ICT services to financial entities. Where information about the applicable revenues is not provided, the Lead Overseer may establish the amount of the oversight fee based on worldwide revenues instead.
The minimum annual oversight fee is €50,000. This is to make sure that the ESAs recover some fixed administrative costs regardless of providers’ revenues.
The Commission seeks feedback on both delegated acts by 14 December 2023. It then has until 17 July 2024 to adopt the final version of the texts.