2024/1502

30.5.2024

COMMISSION DELEGATED REGULATION (EU) 2024/1502

of 22 February 2024

supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by specifying the criteria for the designation of ICT third-party service providers as critical for financial entities

(Text with EEA relevance)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (1), and in particular Article 31(6) thereof,

Whereas:

(1) To assess whether an ICT third-party service provider is critical for financial entities, and taking into account the criteria set out in Article 31(2) of Regulation (EU) 2022/2554, the European Supervisory Authorities (ESAs) should use sub-criteria in a two-step approach assessment. Considering the important number of ICT services and the diversity and number of financial institutions using those services, such a two-step approach should be undertaken to filter the population of ICT third-party service providers and identify the most critical ICT third-party service providers. The quantitative sub-criteria that are to be considered as part of the first step of the assessment are necessary to carry out a first selection of the population of ICT third-party service providers for which it is relevant to carry out a further in-depth analysis in light of the qualitative sub-criteria that are to be considered as part of the second step of the assessment.

(2) The extent to which an ICT service provided by an ICT third-party service provider supports critical or important functions of the financial entity is considered a crucial element of the criticality assessment in general. Therefore, the importance of the activities of the financial entities that are supported by ICT services should be integrated in all sub-criteria considered as part of the first step. Consequently, there should not be a distinct quantitative assessment related to the criticality of the functions of the financial entities as part of the first step of the assessment. Instead, it is appropriate that the ESAs consider the criticality and importance of the functions of the financial entities supported by ICT services as part of the qualitative second step of the assessment.

(3) The assessment should be carried out per individual ICT third-party service provider or, where applicable, per group of ICT third-party services providers in case the ICT third-party service provider belongs to a group as per Article 31(3) of Regulation (EU) 2022/2554. In order to enable a comprehensive assessment of the potential systemic impact on the Union financial sector, ICT subcontractors of ICT third-party service providers should also be subject to the assessment by the ESAs, and where applicable, designated as critical ICT third-party service providers.

(4) To determine the systemic impact of the ICT third-party service provider on the stability, continuity or quality of the provision of financial services it is of paramount importance to develop a clear view on the extent and nature of systemic impact which a large-scale operational failure of an ICT third-party service provider would have on financial entities, which rely on services provided by an ICT third-party service provider, and on the financial system. Therefore, it is appropriate to consider the number of financial entities of a specific category of financial entities using the same ICT services, as well as the value of their assets to assess whether it is relevant to consider the ICT third-party service provider offering those ICT services as critical. Furthermore, a qualitative assessment of the systemic importance and interconnectedness of ICT third-party service providers, as well as the importance of the services provided by an ICT third-party provider on financial entities’ provision of financial services taking into account the stability and the continuity of the services should be carried out to determine the systemic impact of the ICT third-party service provider on the activities of financial entities.

(5) To determine the systemic character and importance of the financial entities relying on the ICT services, it is necessary to take into account the nature of those financial entities. Where financial entities that are classified as G-SIIs and O-SIIs or that are identified as ‘systemic’ rely on the same ICT services to support their critical or important functions, it is appropriate to assess whether the ICT third-party service provider providing those services should be considered as critical for the Union financial sector. The interconnectedness between financial entities within the Union financial sector that rely on ICT services provided by the same ICT third-party service provider should also be assessed to determine the reliance of financial entities on that ICT third-party service provider.

(6) The ICT services supporting critical or important functions of the financial entities should be assessed in respect of their type and critical nature that are necessary for the financial entities to run their activities without any disruptions.

(7) To determine the degree of substitutability of the ICT third party service provider, it is necessary to take into account the number of ICT third-party service providers active on a given market, the existence of alternative solutions for the same ICT service, as well as at the costs of migrating data and ICT workloads to other ICT third-party service providers as part of the assessment to be carried out by the ESAs.

(8) In order to ensure the soundness of the assessment process, it is important that the ESAs rely on the data from the registers of information referred to in Article 28(3) of Regulation (EU) 2022/2554, and any other readily available information, when assessing whether the ICT third-party service providers should be designated as critical,

HAS ADOPTED THIS REGULATION:

Article 1

Assessment approach

1.   When considering the criteria set out in Article 31(2) of Regulation (EU) 2022/2554 to designate an ICT third-party service provider that is critical for financial entities, the ESAs shall apply the following approach:

(a) as a first step, the ESAs shall assess whether the ICT third-party service provider fulfils all of the ‘step 1’ sub-criteria set out in Articles 2(1), 3(1), and 5(1);

(b) as a second step, for those ICT third-party service providers that fulfil all of the ‘step 1’ sub-criteria referred to in point (a), the ESAs shall carry out their assessment in the light of the ‘step 2’ sub-criteria referred to in Articles 2(5), 3(4), 4(1), and 5(5).

By way of derogation from the first sub paragraph, for the assessment of the criterion (c) of Article 31(2) of Regulation (EU) 2022/2554, the first step shall be covered by the assessment to be carried out for the criteria (a), (b) and (d) of Article 31(2) of Regulation (EU) 2022/2554.

2.   After the end of the time period for the submission of a reasoned statement referred to in Article 31(5), first subparagraph, of Regulation (EU) 2022/2554, the ESAs, through the Joint Committee and upon recommendation from the Oversight Forum, shall designate an ICT third-party service provider as critical for financial entities if it fulfils all the ‘step 1’ sub-criteria referred to in paragraph 1, point (a), and following a positive outcome of the assessment carried out in relation to the ‘step 2’ sub-criteria referred to in paragraph 1, point (b).

Article 2

Systemic impact of ICT third-party service providers on the stability, continuity or quality of the provision of financial services

1.   When considering the criterion set out in Article 31(2), point (a), of Regulation (EU) 2022/2554, the ESAs shall assess whether the ICT third-party service provider fulfils the following ‘step 1’ sub-criteria:

(a) sub-criterion 1.1: share of the number of financial entities, broken down by categories of financial entities as listed in Article 2(1) of Regulation (EU) 2022/2554, to which ICT services are provided by the same ICT third-party service provider where the ICT services support critical or important functions;

(b) sub-criterion 1.2: share of the total value of assets of financial entities, broken down by categories of financial entities as listed in Article 2(1) of Regulation (EU) 2022/2554, to which ICT services are provided by the same ICT third-party provider where the ICT services support critical or important functions of financial entities.

2.   The sub-criterion 1.1 set out in paragraph 1, point (a), shall be calculated as follows:

3.   The sub-criterion 1.2 set out in paragraph 1, point (b), shall be calculated as follows:

4.   An ICT third-party service provider shall be considered as having fulfilled the ‘step 1’ sub-criteria referred to in paragraph 1 where both of the shares as calculated in accordance with paragraphs 2 and 3 are of at least 10 % of the total number for at least one category of financial entities as set out in Article 2(1) of Regulation (EU) 2022/2554.

5.   When considering the criterion set out in Article 31(2), point (a), of Regulation (EU) 2022/2554 and where the ICT third-party service provider fulfils the ‘step 1’ sub-criteria referred to in paragraph 1 of this Article, the ESAs shall carry out their assessment in the light of the following ‘step 2’ sub-criteria:

(a) sub-criterion 1.3: the intensity of the impact of discontinuing the ICT services provided by the ICT third-party service provider on the activities and operations of financial entities identified in the ‘step 1’ sub-criteria referred to in paragraph 1 of this Article and the number of those financial entities affected;

(b) sub-criterion 1.4: the dependence of the critical ICT third-party service provider on the same subcontractors providing ICT services supporting critical or important functions of financial entities.

Article 3

Systemic character and importance of the ICT services provided to financial entities

1.   When considering the criterion set out in Article 31(2), point (b), of Regulation (EU) 2022/2554, the ESAs shall assess whether the ICT third-party service provider fulfils the following ‘step 1’ sub-criteria:

(a) sub-criterion 2.1: number of global systemically important institutions (G-SIIs) and other systemically important institutions (O-SIIs) that are credit institutions to which ICT services are provided by the same ICT third-party service provider where the ICT services support critical or important functions;

(b) sub-criterion 2.2: number of financial entities, other than credit institutions and G-SIIs and O-SIIs referred to in point (a) above, identified as systemic by competent authorities referred to under Article 46 of Regulation (EU) 2022/2554 to which ICT services are provided by the same ICT third-party service provider where the ICT services support critical or important functions.

2.   An ICT third-party service provider shall be considered as having fulfilled the sub-criterion set out in paragraph 1, point (a), if the ICT services it provides are used at least by either of the following:

(a) one G-SII;

(b) at least three O-SIIs;

(c) at least one O-SII with an O-SII score above 3 000 calculated in accordance with Article 131(3) of Directive 2013/36/EU of the European Parliament and of the Council (2).

3.   An ICT third-party service provider shall be considered as having fulfilled the sub-criterion set out in paragraph 1, point (b), if the ICT services that it provides are used at least by either of the following:

(a) one financial entity that is a financial entity as referred to in Article 2(1), points (g), (h), (i) or (j) of Regulation (EU) 2022/2554 and which is identified as ‘systemic’ by competent authorities;

(b) at least three financial entities, other than credit institutions and than financial entities referred to in Article 2(1), points (g), (h), (i) or (j) of Regulation (EU) 2022/2554 and which are identified as ‘systemic’ by competent authorities.

4.   When considering the criterion set out in Article 31(2), point (b), of Regulation (EU) 2022/2554 and where the ICT third-party service provider fulfils the ‘step 1’ sub-criteria referred to in paragraph 1 of this Article, the ESAs shall carry out their assessment in the light of the following ‘step 2’ sub-criterion:

— sub-criterion 2.3: G-SIIs or O-SIIs and other financial entities included in the assessment in the ‘step 1’ sub criteria referred to in paragraph 1 of this Article, including where those G-SIIs or O-SIIs provide financial infrastructure services to other financial entities, relying on an ICT service provided by the same ICT third-party service provider, are interdependent.

Article 4

Criticality or importance of the functions

When considering the criterion set out in Article 31(2), point (c), of Regulation (EU) 2022/2554, the ESAs shall carry out their assessment in the light of the following ‘step 2’ sub-criterion:

— sub-criterion 3.1: the ICT service provided ultimately by the same ICT third-party service provider supporting critical or important functions of financial entities is of a critical nature for the activities of the financial entities.

Article 5

Degree of substitutability

1.   When considering the criterion set out in Article 31(2), point (d), of Regulation (EU) 2022/2554, the ESAs shall assess whether the ICT third-party service provider fulfils the following ‘step 1’ sub-criteria:

(a) sub-criterion 4.1: the share of the total number of financial entities, broken down by categories of financial entities as set out in Article 2(1) of Regulation (EU) 2022/2554, for which no alternative ICT third-party service provider is available which has the required capacity to provide the same ICT services that support critical or important functions of financial entities as the one provided by the relevant ICT third-party service provider;

(b) sub-criterion 4.2: the share of the total number of financial entities, broken down by categories of financial entities as set out in Article 2(1) of Regulation (EU) 2022/2554, for which it is highly difficult to migrate an ICT service provided by the relevant ICT third-party service provider that supports critical or important functions of financial entities to another ICT third-party service provider.

2.   The sub-criterion 4.1 set out in paragraph 1, point (a), shall be calculated as follows:

3.   The sub-criterion set out in paragraph 1, point (b), shall be calculated as follows:

4.   An ICT third-party service provider shall be considered as having fulfilled both sub-criteria 4.1 and 4.2 where either of the following is met:

(a) the share of the total number of financial entities referred to in paragraph 1, point (a), is of at least 10 % of the total number of financial entities for a category of financial entities as set out in Article 2(1) of Regulation (EU) 2022/2554;

(b) the share of the total number of financial entities referred to in paragraph 1, point (b), is of at least 10 % of the total number of financial entities or a category of financial entities as set out in Article 2(1) of Regulation (EU) 2022/2554.

5.   When considering the criterion set out in Article 31(2), point (d), of Regulation (EU) 2022/2554 and where the ICT third-party service provider fulfils the ‘step 1’ sub-criteria referred to in paragraph 1 of this Article, the ESAs shall carry out their assessment in the light of the step two sub-criterion specified in Article 31(2), point (d)(i) of Regulation (EU) 2022/2554.

Article 6

Information sources to enable criticality assessment

1.   The ESAs shall use the data provided by the registers of information referred to in Article 28(3) of Regulation (EU) 2022/2554, for the assessment of the sub-criteria listed in Articles 2 to 5. The ESAs may also use additional available data they have at their disposal from all sources of information to perform the criticality assessment.

2.   The ESAs shall take into account the most recent data available to them during the assessment year, or where applicable, the data that has been made available to them at the latest by 31 December of the year preceding the criticality assessment.

Article 7

Entry into force and application

This Regulation shall enter into force on the twentieth day following that of its publication in the

Official Journal of the European Union

.

However, the Lead Overseer shall apply the sub-criterion 1.4 referred to in Article 2, paragraph 5, point (b) as of 16 January 2025.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 22 February 2024.

For the Commission

The President

Ursula VON DER LEYEN

(1)  

OJ L 333, 27.12.2022, p. 1

, ELI:

http://data.europa.eu/eli/reg/2022/2554/oj

.

(2)  Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (

OJ L 176, 27.6.2013, p. 338

, ELI:

http://data.europa.eu/eli/dir/2013/36/oj

).

ELI: http://data.europa.eu/eli/reg_del/2024/1502/oj

ISSN 1977-0677 (electronic edition)