CDR 2024-1502 Article 3

Article 3 – Systemic character and importance of the ICT services provided to financial entities

  1. When considering the criterion set out in Article 31(2), point (b), of Regulation (EU) 2022/2554, the ESAs shall assess whether the ICT third-party service provider fulfils the following ‘step 1’ sub-criteria:
    1. sub-criterion 2.1: number of global systemically important institutions (G-SIIs) and other systemically important institutions (O-SIIs) that are credit institutions to which ICT services are provided by the same ICT third-party service provider where the ICT services support critical or important functions;
    2. sub-criterion 2.2: number of financial entities, other than credit institutions and G-SIIs and O-SIIs referred to in point (a) above, identified as systemic by competent authorities referred to under Article 46 of Regulation (EU) 2022/2554 to which ICT services are provided by the same ICT third-party service provider where the ICT services support critical or important functions.
  2. An ICT third-party service provider shall be considered as having fulfilled the sub-criterion set out in paragraph 1, point (a), if the ICT services it provides are used at least by either of the following:
    1. one G-SII;
    2. at least three O-SIIs;
    3. at least one O-SII with an O-SII score above 3 000 calculated in accordance with Article 131(3) of Directive 2013/36/EU of the European Parliament and of the Council (2).
  3. An ICT third-party service provider shall be considered as having fulfilled the sub-criterion set out in paragraph 1, point (b), if the ICT services that it provides are used at least by either of the following:
    1. one financial entity that is a financial entity as referred to in Article 2(1), points (g), (h), (i) or (j) of Regulation (EU) 2022/2554 and which is identified as ‘systemic’ by competent authorities;
    2. at least three financial entities, other than credit institutions and than financial entities referred to in Article 2(1), points (g), (h), (i) or (j) of Regulation (EU) 2022/2554 and which are identified as ‘systemic’ by competent authorities.
  4. When considering the criterion set out in Article 31(2), point (b), of Regulation (EU) 2022/2554 and where the ICT third-party service provider fulfils the ‘step 1’ sub-criteria referred to in paragraph 1 of this Article, the ESAs shall carry out their assessment in the light of the following ‘step 2’ sub-criterion:
    1. sub-criterion 2.3: G-SIIs or O-SIIs and other financial entities included in the assessment in the ‘step 1’ sub criteria referred to in paragraph 1 of this Article, including where those G-SIIs or O-SIIs provide financial infrastructure services to other financial entities, relying on an ICT service provided by the same ICT third-party service provider, are interdependent.
(2) Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338, ELI: https://data.europa.eu/eli/dir/2013/36/oj).