Commission Delegated Regulation that supports DORA regulation
Full Text of CDR 2024-1502
Criteria for the designation of ICT third-party service providers as critical for financial entities
Article 3 – Systemic character and importance of the ICT services provided to financial entities
- When considering the criterion set out in Article 31(2), point (b), of Regulation (EU) 2022/2554, the ESAs shall assess whether the ICT third-party service provider fulfils the following ‘step 1’ sub-criteria:
- sub-criterion 2.1: number of global systemically important institutions (G-SIIs) and other systemically important institutions (O-SIIs) that are credit institutions to which ICT services are provided by the same ICT third-party service provider where the ICT services support critical or important functions;
- sub-criterion 2.2: number of financial entities, other than credit institutions and G-SIIs and O-SIIs referred to in point (a) above, identified as systemic by competent authorities referred to under Article 46 of Regulation (EU) 2022/2554 to which ICT services are provided by the same ICT third-party service provider where the ICT services support critical or important functions.
- An ICT third-party service provider shall be considered as having fulfilled the sub-criterion set out in paragraph 1, point (a), if the ICT services it provides are used at least by either of the following:
- one G-SII;
- at least three O-SIIs;
- at least one O-SII with an O-SII score above 3 000 calculated in accordance with Article 131(3) of Directive 2013/36/EU of the European Parliament and of the Council (2).
- An ICT third-party service provider shall be considered as having fulfilled the sub-criterion set out in paragraph 1, point (b), if the ICT services that it provides are used at least by either of the following:
- one financial entity that is a financial entity as referred to in Article 2(1), points (g), (h), (i) or (j) of Regulation (EU) 2022/2554 and which is identified as ‘systemic’ by competent authorities;
- at least three financial entities, other than credit institutions and than financial entities referred to in Article 2(1), points (g), (h), (i) or (j) of Regulation (EU) 2022/2554 and which are identified as ‘systemic’ by competent authorities.
- When considering the criterion set out in Article 31(2), point (b), of Regulation (EU) 2022/2554 and where the ICT third-party service provider fulfils the ‘step 1’ sub-criteria referred to in paragraph 1 of this Article, the ESAs shall carry out their assessment in the light of the following ‘step 2’ sub-criterion:
- sub-criterion 2.3: G-SIIs or O-SIIs and other financial entities included in the assessment in the ‘step 1’ sub criteria referred to in paragraph 1 of this Article, including where those G-SIIs or O-SIIs provide financial infrastructure services to other financial entities, relying on an ICT service provided by the same ICT third-party service provider, are interdependent.