Article 28 of the Digital Operational Resilience Act (DORA): Designation of Critical ICT Third-Party Service Providers

The designation of critical ICT third-party service providers is a crucial aspect of ensuring the operational resilience of financial entities within the European Union. This article outlines the criteria and procedures for identifying and overseeing ICT third-party service providers that are deemed critical to the stability and continuity of financial services. The European Supervisory Authorities (ESAs), through the Joint Committee and upon recommendation from the Oversight Forum, play a key role in this process. They identify critical ICT third-party service providers based on systemic impact, reliance by financial entities, and other significant factors. This designation aims to mitigate risks associated with ICT service disruptions, ensuring that financial entities can maintain their operations even in adverse scenarios. The ESAs also appoint a Lead Overseer for each critical provider to ensure continuous monitoring and compliance with regulatory requirements.

The ESAs, acting through the Joint Committee and upon recommendation from the Oversight Forum established under Article 29(1), shall:

• Identify ICT third-party service providers critical to financial entities, considering the criteria specified in paragraph 2.

• Appoint EBA, ESMA, or EIOPA as Lead Overseer for each critical ICT third-party service provider, based on whether the total value of assets held by financial entities using services covered by Regulations (EU) No 1093/2010, (EU) No 1094/2010, or (EU) No 1095/2010, represents more than half of the total assets of all financial entities using those services. This determination uses consolidated or individual balance sheets where applicable.

The designation under point (a) of paragraph 1 shall be based on the following criteria:

• Potential systemic impact on financial services' stability, continuity, or quality if the ICT third-party provider experiences significant operational failures, considering the number of financial entities served.

• Systemic importance of financial entities relying on the ICT third-party provider, assessed by:

• Number of Global Systemically Important Institutions (G-SIIs) or other Systemically Important Institutions (O-SIIs) using the provider.

• Interdependence between these G-SIIs or O-SIIs and other financial entities, particularly where they provide financial infrastructure services.

• Reliance of financial entities on services provided by the ICT third-party provider for critical functions, whether directly or indirectly through subcontracting.

• Substitutability of the ICT third-party provider, considering:

• Limited alternatives due to market concentration, the provider's market share, technical complexity, proprietary technology, or organizational uniqueness.

• Difficulties in migrating data and workloads to another provider due to financial costs, time, ICT risks, or other operational risks.

• Number of EU Member States where the ICT third-party provider operates.

• Number of EU Member States where financial entities using the ICT third-party provider are active.

The Commission has the authority to adopt delegated acts under Article 50 to complement the criteria in paragraph 2.

The designation mechanism in point (a) of paragraph 1 shall not be applied until the Commission adopts delegated acts as per paragraph 3.

The designation mechanism in point (a) of paragraph 1 does not apply to ICT third-party providers subject to oversight frameworks established to support tasks under Article 127(2) of the Treaty on the Functioning of the European Union.

The ESAs, through the Joint Committee, shall establish, publish, and annually update the list of critical ICT third-party service providers at the EU level.

For point (a) of paragraph 1, competent authorities shall annually submit aggregated reports per Article 25(4) to the Oversight Forum established under Article 29. The Oversight Forum shall evaluate financial entities' ICT dependencies based on information from competent authorities.

ICT third-party providers not included in the list under paragraph 6 may request inclusion. To do so, the ICT third-party provider must submit a reasoned application to EBA, ESMA, or EIOPA. The Joint Committee will decide whether to include the provider in the list under point (a) of paragraph 1. This decision must be adopted and communicated to the ICT third-party provider within six months of receiving the application.

Financial entities shall not use ICT third-party providers established in third countries that would be designated as critical under point (a) of paragraph 1 if they were established in the EU.