On May 26, 2023, the European Supervisory Authorities (ESAs) published a joint Discussion Paper on criteria for critical ICT third-party service providers and oversight fees. This Discussion Paper follows the request for technical advice that was sent by the European Commission (Commission) to the ESAs in late December 2022.
The ESAs have published the Discussion Paper in light of the mandate given to them under the Digital Operational Resilience Act (DORA) which sets out four high-level criteria that the ESAs will use for the purpose of designating critical ICT third-party service providers. The Commission invites the ESAs to specify the designation criteria for critical ICT third-party service providers, including to provide sets of qualitative and quantitative indicators for each of the four criteria, which, if applicable should be accompanied by minimum thresholds triggering such indicators.
The deadline for comments on the Discussion Paper is June 23, 2023. The ESAs are expected to provide their technical advice to the Commission by September 30, 2023.
The remainder of this article discusses some of the key points that the Discussion Paper makes regarding:
- criticality assessment; and
- oversight fees payable by critical ICT third-party service providers.
Criticality assessment
A two-step indicative designation process for criticality assessment: in a first instance, the ESAs propose a two-step approach, whereby Step 1 would focus on assessing ICT third-party service providers against a set of minimum relevance thresholds in order to identify those providers that could potentially be considered as critical later in the designation process; and Step 2 would cover a further assessment of a sub-section of ICT third-party service providers based on an additional set of criticality indicators.
The ESAs seek stakeholder comments on the proposed approach, any additional issues that should be covered in this context, as well as views on practical challenges and approach to already designated critical ICT third-party service providers that may fall below the relevant thresholds over time.
In the subsequent part of the Discussion Paper, the ESAs set out the relevant indicators for each of the four high-level designation criteria, and suggest tentative approaches/thresholds for the Step 1 and Step 2 assessment:
Criterion 1: impact on the provision of financial services
- Step 1 indicators:
- Number of financial entities using ICT services provided by the same ICT third party provider (TPP): 10% or more of total number of financial entities in the EU (total and / or per type of financial entity).
- Share of financial entities using ICT services provided by the same ICT TPP: 10% or more of total value of assets / total assets-equivalent of financial entities in the EU (per type of financial entity).
- Step 2 indicators:
- Share of financial entities for which a large-scale operational failure of the same ICT TPP would imply a substantial negative impact on the services, activities and operations of those financial entities: the ESAs note that this indicator is highly dependent on the subjective judgment of the financial entities, eg considering circumstances when ICT business continuity plans would be triggered. They also note that it is important to cover critical sub-contractors and when a sub-contractor belongs to a group, a group should be considered as a whole.
- Number of designated Critical TPPs (CTPPs) using the same sub-contractors for providing services to financial entities supporting critical or important functions: the ESAs note that the objective of this indicator is to identify the critical sub-contractors in the EU financial system, extending to all providers in the sub-contracting chain. They also note that this indicator can only be applied once a first list of CTPPs is available i.e., after the first year of designation.
Criterion 2: importance of financial entities
- Step 1 indicators:
- Number of global systemically important institutions (G-SIIs) and other systemically important institutions (O-SIIs) using ICT services provided by the same ICT TPP: the ESAs note that whilst this indicator relates to credit institutions that could be classified as G-SIIs or O-SIIs, the relevance behind it is that the more financial entities classified as G-SIIs and O-SIIs use ICT services provided by the same provider, the higher the ICT third-party service providers level of criticality for the EU financial sector. The ESAs propose the following tentative thresholds: at least one G-SII, or at least three O-SIIs, or at least one O-SIIs with an O-SII score above 3,000.
- Number of financial entities identified as systemic by Member State competent authorities, other than G-SIBs and O-SIBs, using ICT services provided by the same provider: the ESAs explain that this indicator aims at capturing the reliance of other types of financial entities, which are ‘systemic’ and not included in the publicly available list of G-SIIs or O-SIIs; this indicator refers to ‘financial entities identified as systemic’ based on supervisory expert judgment. The proposed tentative threshold: at least one financial entity (other than a credit institution) identified as ’systemic’ by Member State competent authorities.
- Step 2 indicator:
- Interdependence between G-SIIs or O-SIIs and other financial entities using ICT services provided by the same ICT third-party service provider: the ESAs explain that the objective of this indicator is to capture financial entities’ interconnectedness with other financial entities in the EU financial system, which – all together – receive ICT services from the same provider. That said, they also note that measuring this in a quantitative manner to cover the entire EU financial sector is highly challenging due to the lack of concrete and representative data in relation to such interdependencies within the financial sector and additional analysis will be required.
Criterion 3: critical or important functions
- Step 1 indicator:
- Share of financial entities using ICT services provided by the same ICT third-party service providers where these ICT services support critical or important functions: the ESAs propose the following tentative minimum relevance thresholds: 10% or more of total value of assets / total assets-equivalent per type of financial entity in the EU; or 10% or more of total number of financial entities in the EU.
- Step 2 indicator:
- Level of criticality of ICT services provided to financial entities by the same ICT third-party service provider: the ESAs note that this indicator could benefit from an indicative ‘ICT services’ taxonomy to allow the identification of the different types of ICT services provided to EU financial entities and assess the different level of criticality these ICT services may entail, in particular when supporting critical or important functions. They add that such a taxonomy could be developed at a later stage.
Criterion 4: degree of substitutability
- Step 1 indicators:
- Share of financial entities reporting that no alternative ICT third-party service providers are available or have the required ability and / or capacity to provide the same ICT services as the existing ICT third-party service provider: the ESAs explain the rationale behind this threshold being that the more difficult it is to substitute an ICT third-party service provider, the higher the ICT provider’s level of criticality for the EU financial sector. The ESAs propose the following tentative minimum relevance thresholds: 10% or more of total value of assets / total assets-equivalent per type of financial entity in the EU; or 10% or more of total number of financial entities in the EU.
- Share of financial entities reporting that it is highly complex / difficult to migrate or reintegrate ICT services provided by an ICT TPP to support critical or important functions: the ESAs propose the following tentative minimum relevance thresholds: 10% or more of total value of assets/ total assets-equivalent of financial entities in the EU; or 10% or more of total number of financial entities in the EU.
- Step 2 indicator:
- Market share of ICT third-party service providers: the ESAs explain that for each ICT third-party service provider, the result of this indicator is calculated by dividing – per type of ICT service – the total annual expenses or estimated costs of all contractual arrangements, which an ICT third-party service provider has in place with EU financial entities falling under the scope of the DORA, by the total annual expenses or estimated costs of all contractual arrangements, which all ICT third-party service providers have in place for the same type of ICT service and by dividing the total number of financial entities using ICT services provided by the same ICT third-party service provider by the total number of EU financial entities using ICT services of ICT third-party service providers.
Oversight fees payable by critical ICT third-party service providers
Once designated as critical, ICT third-party service providers will have to pay oversight fees to the ESA designated as their ‘Lead Overseer’ to fund the ESA’s oversight tasks. The ESAs note a number of challenges linked with preparing this technical advice, notably the lack of information on the future critical ICT third-party service providers, as their designation will take place after the publication of the related delegated act.
The ESAs also note that they have a limited understanding of the type of ICT services provided by ICT third-party service providers and they seek feedback from relevant stakeholders on such services. That said, the ESAs discuss the scope of the oversight fees in relation to their estimated oversight expenditure and applicable turnover of the critical ICT third-party service provider:
- Estimated oversight expenditure: the ESAs propose that at a minimum, the oversight fees cover their activities linked with: designation of critical ICT third-party service providers, conduct of the oversight, follow up recommendations issued by the Lead Overseer and governance of the oversight.
- Applicable turnover of the critical ICT third-party service provider: the ESAs propose to refer in the delegated act to the certified revenues in the audited accounts of the critical ICT third-party service provider of the year (n-2) as being the information used to calculate the oversight fee for a given year (n). Noting the lack of available information about the precise scope of ICT services provided, the ESAs propose that the delegated act would establish that the revenues generated by all the services provided by the critical ICT third-party service provider are considered in the determination of the applicable turnover.
The ESAs also note that they need to better understand the issue of geographical distribution of the revenues of the critical ICT third-party service providers and note that the determined applicable turnover should at least take into account all revenues generated from the provision of services to entities subject to DORA. To this end, the ESAs propose two alternative prospective solutions: that to the extent that it is possible for all CTPPs to provide audited revenues covering all European-based activities, the ESAs may provide that such revenues should be considered to determine the applicable turnover. The alternative default solution would be to consider the worldwide revenues as the applicable turnover.
The ESAs also consider solutions regarding the identification of client profiles of the critical ICT third-party service providers, and in particular revenues covering their financial sector clients that are subject to the DORA. Finally, the ESAs propose not to use in the delegated act the criticality of the functions supported by the provided ICT services as a criterion to determine the applicable turnover of the critical ICT third-party service provider. - Methods of calculating of the oversight fees: the ESAs are of the view that yearly adaptable fees calculated through a fully proportionate approach should be used to calculate the annual oversight fees for CTPPs. To this end, the percentage of the oversight fees payable by a CTPP would be determined by comparing applicable turnover of this provider against applicable turnover of all CTTPs. The ESAs add that such calculation should be complemented by a minimum fixed oversight fee, set at €50,000 ($53,000). The ESAs also propose to determine the calculation of the annual oversight fees at cross-ESAs level, and consider how to deal with the potential deficit or surpluses of the oversight fees collected.
- Practical issues related to the payment of the fees: the ESAs propose to establish a one-instalment payment for the collection of the annual oversight fees from all CTTPs; fees to be payable by the end of April each year.
- Treatment of the opt-in application: the ESAs note that there are no provisions in DORA related to the fees to be paid by those CTTPs that would voluntarily opt into the critical regime. To this end, the ESAs propose to define a fixed fee that ICT service providers would have to pay when they submit opt-in application to the ESAs, set at EUR 50,000 ($53,000).
Anna Carrier, Senior Government and Regulatory Affairs Advisor, is a lawyer in Norton Rose Fulbright‘s financial services regulatory and government relations practice in the Brussels office.