Source: OJ L, 2024/1502, 30.5.2024Current language: EN
Criteria for designating critical service providers
COMMISSION DELEGATED REGULATION (EU) 2024/1502
of 22 February 2024
supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by specifying the criteria for the designation of ICT third-party service providers as critical for financial entities
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011(1)OJ L 333, 27.12.2022, p. 1, ELI: http://data.europa.eu/eli/reg/2022/2554/oj., and in particular Article 31(6) thereof,
Whereas:
Recital 1Designation procedure
To assess whether an ICT third-party service provider is critical for financial entities, and taking into account the criteria set out in Article 31(2) of Regulation (EU) 2022/2554, the European Supervisory Authorities (ESAs) should use sub-criteria in a two-step approach assessment. Considering the important number of ICT services and the diversity and number of financial institutions using those services, such a two-step approach should be undertaken to filter the population of ICT third-party service providers and identify the most critical ICT third-party service providers. The quantitative sub-criteria that are to be considered as part of the first step of the assessment are necessary to carry out a first selection of the population of ICT third-party service providers for which it is relevant to carry out a further in-depth analysis in light of the qualitative sub-criteria that are to be considered as part of the second step of the assessment.
Recital 2Importance of activities supported by ICT services
The extent to which an ICT service provided by an ICT third-party service provider supports critical or important functions of the financial entity is considered a crucial element of the criticality assessment in general. Therefore, the importance of the activities of the financial entities that are supported by ICT services should be integrated in all sub-criteria considered as part of the first step. Consequently, there should not be a distinct quantitative assessment related to the criticality of the functions of the financial entities as part of the first step of the assessment. Instead, it is appropriate that the ESAs consider the criticality and importance of the functions of the financial entities supported by ICT services as part of the qualitative second step of the assessment.
Recital 3Individual and group ICT third-party service providers and subcontractors
The assessment should be carried out per individual ICT third-party service provider or, where applicable, per group of ICT third-party services providers in case the ICT third-party service provider belongs to a group as per Article 31(3) of Regulation (EU) 2022/2554. In order to enable a comprehensive assessment of the potential systemic impact on the Union financial sector, ICT subcontractors of ICT third-party service providers should also be subject to the assessment by the ESAs, and where applicable, designated as critical ICT third-party service providers.
Recital 4Systemic impact assessments
To determine the systemic impact of the ICT third-party service provider on the stability, continuity or quality of the provision of financial services it is of paramount importance to develop a clear view on the extent and nature of systemic impact which a large-scale operational failure of an ICT third-party service provider would have on financial entities, which rely on services provided by an ICT third-party service provider, and on the financial system. Therefore, it is appropriate to consider the number of financial entities of a specific category of financial entities using the same ICT services, as well as the value of their assets to assess whether it is relevant to consider the ICT third-party service provider offering those ICT services as critical. Furthermore, a qualitative assessment of the systemic importance and interconnectedness of ICT third-party service providers, as well as the importance of the services provided by an ICT third-party provider on financial entities’ provision of financial services taking into account the stability and the continuity of the services should be carried out to determine the systemic impact of the ICT third-party service provider on the activities of financial entities.
Recital 5Considering the nature of financial entities
To determine the systemic character and importance of the financial entities relying on the ICT services, it is necessary to take into account the nature of those financial entities. Where financial entities that are classified as G-SIIs and O-SIIs or that are identified as ‘systemic’ rely on the same ICT services to support their critical or important functions, it is appropriate to assess whether the ICT third-party service provider providing those services should be considered as critical for the Union financial sector. The interconnectedness between financial entities within the Union financial sector that rely on ICT services provided by the same ICT third-party service provider should also be assessed to determine the reliance of financial entities on that ICT third-party service provider.
Recital 6Critical or important functions
The ICT services supporting critical or important functions of the financial entities should be assessed in respect of their type and critical nature that are necessary for the financial entities to run their activities without any disruptions.
Recital 7Degree of substitutability
To determine the degree of substitutability of the ICT third party service provider, it is necessary to take into account the number of ICT third-party service providers active on a given market, the existence of alternative solutions for the same ICT service, as well as at the costs of migrating data and ICT workloads to other ICT third-party service providers as part of the assessment to be carried out by the ESAs.
Recital 8Sources of information for designation
In order to ensure the soundness of the assessment process, it is important that the ESAs rely on the data from the registers of information referred to in Article 28(3) of Regulation (EU) 2022/2554, and any other readily available information, when assessing whether the ICT third-party service providers should be designated as critical,
HAS ADOPTED THIS REGULATION:
- Article 1Assessment approach
- Article 2Systemic impact of ICT third-party service providers on the stability, continuity or quality of the provision of financial services
- Article 3Systemic character and importance of the ICT services provided to financial entities
- Article 4Criticality or importance of the functions
- Article 5Degree of substitutability
- Article 6Information sources to enable criticality assessment
- Article 7Entry into force and application
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 22 February 2024.
For the Commission
The President
Ursula VON DER LEYEN