CDR 2025-295 Article 1

Article 1 – Information to be provided by ICT third-party service provider in the application to be designated as critical

  1. The information and communication technology (ICT) third-party service provider shall submit the following information in the reasoned application for a voluntary request under Article 31(11) of Regulation (EU) 2022/2554 to be designated as critical pursuant to Article 31(1), point (a), of Regulation (EU) 2022/2554:
    1. name of the legal entity;
    2. legal entity identification code;
    3. name of contact person and contact details of the critical ICT third-party service provider;
    4. country where the legal entity has registered office;
    5. description of the corporate structure including at least information on its parent company and other related undertakings providing ICT services to Union financial entities. That information shall include where applicable;
      1. name of the legal entities;
      2. legal entity identification code;
      3. country where the legal entity has registered office;
    6. an estimation of the market share of the ICT third-party service provider in the Union financial sector and estimation of the market share per type of financial entity as referred to in Article 2(1) of Regulation (EU) 2022/2554 as of the year of submission of the application to be designated as critical and the year before that application;
    7. a description of each ICT service provided to Union financial entities including:
      1. a description of the nature of business and the type of ICT services provided to financial entities;
      2. a list of the functions of financial entities supported by the ICT services provided, where available;
      3. information whether the ICT services provided to financial entities support critical or important functions, where available;
    8. a list of financial entities that make use of the ICT services provided by the ICT third-party service provider, including the following information for each of the financial entity serviced, where available:
      1. name of the legal entity;
      2. legal entity identification code, where known to the ICT third-party service provider;
      3. type of financial entity as specified in Article 2(1) of Regulation (EU) 2022/2554;
      4. the geographic location from which the ICT services are provided to that specific legal entity;
    9. a list of the critical ICT third-party service providers included in the latest available list of such providers published by the ESAs pursuant to Article 31(9) of Regulation (EU) 2022/2554 that rely on the services provided by the applicant where available;
    10. a self-assessment as regards the following:
      1. the degree of substitutability for each ICT service provided by the applicant considering the following:
        1. the market share of the ICT third-party service provider in the Union financial sector;
        2. the number of known relevant competitors per type of ICT services, or group of ICT services;
        3. description of specificities relating to the ICT services offered, including in relation to any proprietary technology, or the specific features of the ICT third-party service provider’s organisation or activity;
      2. knowledge about the availability of the alternative ICT third-party service providers to provide the same ICT services as the ICT third-party service provider submitting the application;
    11. information on a future business strategy in relation to the provision of ICT services and infrastructure to financial entities in the Union, including any planned changes in the group or management structure, entry into new markets or activities;
    12. identification of the subcontractors of the ICT third-party service provider which have been designated as critical ICT third-party service providers;
    13. any other reasons relevant for the ICT third-party service provider’s application to be designated as critical.
  2. Where the ICT third-party service provider belongs to a group, the information referred to in paragraph 1 shall be provided in relation to the ICT services provided by the group as a whole.