This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| 1 minute read

Commission finalises approach to criticality criteria and oversight fees under DORA

The European Commission has adopted two delegated regulations under the EU’s Digital Operational Resilience Act. This builds on advice given by the European Supervisory Authorities and the Commission’s consultation on the draft texts. IT firms should engage with these finalised texts to help them anticipate the scope and impact of DORA.

The first delegated regulation specifies the criteria for the designation of ICT third-party service providers as critical for financial entities. Despite respondents to the Commission’s consultation raising concerns that the criteria are too low and not sufficiently targeted to the size and nature of the service provider, the final version of the legislation is largely unchanged from the draft released last year (as described in our previous blogpost).

The second delegated regulation determines the amount of the oversight fees to be charged to critical ICT third party service providers. The final version includes some technical changes (see the table below). In particular, the Commission initially plans to split the costs equally among the first batch of critical ICT third party service providers designated under DORA.

The European Parliament and Council now consider the revised texts. If neither objects, they will be added to the Official Journal of the EU later this year.



dora, digital, operational resilience