CDR 2024-1502 Article 2

Article 2 – Systemic impact of ICT third-party service providers on the stability, continuity or quality of the provision of financial services

  1. When considering the criterion set out in Article 31(2), point (a), of Regulation (EU) 2022/2554, the ESAs shall assess whether the ICT third-party service provider fulfils the following ‘step 1’ sub-criteria:
    1. sub-criterion 1.1: share of the number of financial entities, broken down by categories of financial entities as listed in Article 2(1) of Regulation (EU) 2022/2554, to which ICT services are provided by the same ICT third-party service provider where the ICT services support critical or important functions;
    2. sub-criterion 1.2: share of the total value of assets of financial entities, broken down by categories of financial entities as listed in Article 2(1) of Regulation (EU) 2022/2554, to which ICT services are provided by the same ICT third-party provider where the ICT services support critical or important functions of financial entities.
  2. The sub-criterion 1.1 set out in paragraph 1, point (a), shall be calculated as follows:
    number of financial entities of a category of financial entities

    as set out in Article 2(1) of Regulation (EU) 2022/2554,

    to which ICT services are provided by the same ICT third party services provider

    where the ICT services support critical or important functions of financial entities
    total number of financial entities of a category of financial entities

    as set out in Article 2(1) of Regulation (EU) 2022/2554
  3. The sub-criterion 1.2 set out in paragraph 1, point (b), shall be calculated as follows:
    total value of assets of financial entities of a category of financial entities

    as listed in Article 2(1) of Regulation (EU) 2022/2554,

    to which ICT services are provided by the same ICT third party provider

    where the ICT services support critical or important functions of financial entities
    total value of assets of all EU financial entities of the same category

    as set out in Article 2(1) of Regulation (EU) 2022/2554
  4. An ICT third-party service provider shall be considered as having fulfilled the ‘step 1’ sub-criteria referred to in paragraph 1 where both of the shares as calculated in accordance with paragraphs 2 and 3 are of at least 10 % of the total number for at least one category of financial entities as set out in Article 2(1) of Regulation (EU) 2022/2554.
  5. When considering the criterion set out in Article 31(2), point (a), of Regulation (EU) 2022/2554 and where the ICT third-party service provider fulfils the ‘step 1’ sub-criteria referred to in paragraph 1 of this Article, the ESAs shall carry out their assessment in the light of the following ‘step 2’ sub-criteria:
    1. sub-criterion 1.3: the intensity of the impact of discontinuing the ICT services provided by the ICT third-party service provider on the activities and operations of financial entities identified in the ‘step 1’ sub-criteria referred to in paragraph 1 of this Article and the number of those financial entities affected;
    2. sub-criterion 1.4: the dependence of the critical ICT third-party service provider on the same subcontractors providing ICT services supporting critical or important functions of financial entities.