Classification of IT service providers as critical ICT third-party service providers under DORA
The Digital Operational Resilience Act (Regulation (EU) 2022/2554, ‘DORA’) implements a comprehensive set of obligations for financial entities to strengthen their cyber resilience (cf. our Insights article, The Digital Operational Resilience Act (DORA) and its significance for the financial sector). DORA also contains requirements for certain ICT service providers and subjects them to ‘basic oversight’ (see our Insights article, When IT service providers are subject to financial oversight: An overview of the DORA supervisory framework). We explain hereafter which IT service providers are likely to be classified by DORA as critical ICT third-party service providers and could thus be subject to financial oversight in the broader sense.
Which ICT third-party service providers are critical – DORA test criteria
The DORA oversight framework applies to companies providing ICT services designated as ‘critical’ and to which none of the exceptions in Article 31(8) DORA apply (‘critical ICT third-party service providers’).
The assessment and, if necessary, designation of an ICT third-party service provider as ‘critical’ is carried out by the lead regulatory body, i.e. a European financial supervisory authority, primarily based on the following criteria (Article 31(2)(a)–(d) DORA):
- the systemic impact, in the event that the relevant ICT third-party service provider experiences a failure or an operational failure, on financial entities to which the relevant ICT service provider provides ICT services;
- the systemic character or importance of the financial entities that rely on the relevant ICT third-party service provider, assessed according to the number of global systemically important institutions (G-SIIs) or other systemically important institutions (O-SIIs) within the meaning of the CRR that rely on the relevant ICT third-party service provider;
- criticality or importance of the functions of financial entities that are supported by the relevant ICT third-party service provider; and
- the degree of substitutability of the ICT third-party service provider, considering the number of ICT third-party service providers being active on a specific market, the cost of migrating the data and effort from the ICT third-party service provider to another ICT third-party service provider.
Details specified in the Delegated Regulation
The Commission Delegated Regulation of 22 February 2024 (C(2024) 896 final, ‘Delegated Regulation’) specifies how the DORA test criteria are to be applied. It defines the criteria in substantive terms. A two-step procedure is applied: in step 1, a quantitative assessment is carried out to identify ICT third-party service providers that are most critical in quantitative terms (Article 1(1)(a) Delegated Regulation). In step 2, a qualitative assessment of the ICT third-party service provider is carried out (Article 1(1)(b) Delegated Regulation). An ICT third-party service provider is only designated as ‘critical’ if it cumulatively fulfils all quantitative sub-criteria in step 1 and the subsequent qualitative assessment in step 2 is positive (Article 1(2) Delegated Regulation).
Step 1: Quantitative assessment of ICT third-party service providers
The quantitative assessment in step 1 comprises the following criteria and sub-criteria (Article 1(1)(a) Delegated Regulation):
Systemic impact of ICT third-party service providers on the stability, continuity or quality of the provision of financial services
These quantitative criteria are met where the ICT third-party service provider provides ICT services to support critical or important functions at financial entities and:
- the service provider’s customers make up at least 10% of the total number for at least one category of financial entities in the EU within the meaning of Article 2(1) DORA, e.g. 10% of all credit institutions, all investment firms, all management companies etc.; and
- the total value of the assets of those financial entities are at least 10% of the total value of all assets of comparable EU financial entities, i.e. within that category of financial entities such as credit institutions, investment firms, management companies etc.
Systemic character and importance of the ICT services provided to financial entities
These quantitative criteria are met where the ICT third-party service provider’s customers make up a certain number of the following specified financial entities:
- credit institutions that are G-SIIs and O-SIIs; and/or
- financial entities identified as systemic by competent authorities.
The thresholds (i.e. the definitive number of systemic financial entities) are derived from Article 3(2) and (3) Delegated Regulation.
Degree of substitutability
These quantitative criteria are met where the ICT third-party service provider provides ICT services for critical or important functions of financial entities and:
- the share of its customers without an alternative ICT third-party service provider is at least 10% of the total number of EU financial entities within that category of financial entities within the meaning of Article 2(1) DORA, e.g. 10% of all credit institutions, all investment firms, all management companies etc.; and
- for at least 10% of customers, it is ‘highly difficult’ to migrate to another ICT third-party service provider.
Step 2: Qualitative assessment of ICT third-party service providers
The qualitative assessment in step 2 comprises the following sub-criteria (Article 1(1)(b) Delegated Regulation):
Systemic impact of ICT third-party service providers
The lead supervisory authority carries out the assessment of the systemic impact of an ICT third-party service provider based on the following sub-criteria:
- the impact intensity of discontinuing the ICT services provided by the ICT third-party service provider on the activities and operations of financial entities and the number of financial entities affected; and
- the dependence of the critical ICT third-party service provider on the same subcontractors providing ICT services supporting critical or important functions of financial entities.
Systemic character of the ICT services
When assessing the systemic character of the ICT services the lead supervisory authority considers the interdependence between the G-SIIs or O-SIIs included in step 1 and other financial entities receiving ICT services from the same ICT third-party service provider.
Criticality or importance of the functions supported
The lead supervisory authority assesses the criticality and importance of the supported functions based on whether the ICT services provided by the third-party ICT service provider are critical to the activities of the financial entities.
Degree of substitutability
The lead supervisory authority considers the following parameters when assessing the degree of substitutability of the ICT third-party service provider:
- a lack of genuine alternative solutions, even partial ones, due to the limited number of ICT third-party service providers operating in a particular market;
- the market share of the ICT third-party service provider in question;
- the associated technical complexity or degree of differentiation; and
- the specific characteristics of the organisation or activity of the ICT third-party service provider.
Legal remedies
DORA establishes an oversight regime for critical ICT third-party service providers which distinguishes from the regulatory regime existing for financial institutions (e.g. a critical third-party ICT service provider does not require a licence for its operation from the financial supervisory authority). Administrative measures within the oversight regime can however have a negative impact on ICT third-party service providers and legal remedies might thus be necessary. The particular legal remedy needs to be defined on a case-by-case basis, particularly taking into account which kind of burdening administrative act is taken by a national or an European authority.
Regarding measures taken by European authorities, an affected ICT third-party service provider may file a complaint with the joint ESAs Board of Appeal (Article 60(1) ESA Regulation), e.g. in the case of requests for information or the ordering of general investigations and inspections (cf. Article 37(3)(f), Article 38(4) sentence 2 and Article 39(6) sentence 1 DORA). Further, the ICT third-party service provider could file for an action for annulment by the EU Court of Justice (Article 263(4) TFEU).
Regarding measures taken by national authorities, an affected ICT third-party service provider may use legal remedies under national administrative law. In Germany these comprise administrative objection proceedings (Widerspruchsverfahren) and action for annulment (Anfechtungsklage), e.g. regarding an official order issued to a financial entity ordering the temporary or permanent suspension of contractual agreements with an ICT third-party service provider (Article 42(6) DORA). Such an order directly affects the financial entity as the addressee of the administrative act and also has a restrictive effect on the ICT third-party service provider.