Designation of critical ICT third-party service providers


TL;DR This article deals with the process set out by the European Supervisory Authorities (ESAs) to designate an ICT third-party service provider as critical, which requires an assessment taking into account criteria such as the systemic impact of a failure in providing those services, the reliance of financial entities, the degree of substitutability and other relevant factors. The selection shall be based on a group level, where applicable, and the ICT third-party service provider shall be notified of their designation. The Lead Overseer shall also notify them and consider any statements submitted by the third-party provider. Furthermore, the European Commission is mandated to create further criteria for the designation by 17 July 2024, and the financial entities shall rely solely on the services of a critical ICT third-party establishing a subsidiary in the Union within 12 months of the designation.
  1. The ESAsEuropean Supervisory Authority, through the Joint Committeethe committee of the EBA, EIOPA and ESMA and upon recommendation from the Oversight Foruma sub-committee of the Joint Committee for the purposes of supporting the work of the Joint Committee and of the Lead Overseer in the area of ICT third-party risk across financial sectors established pursuant to Article 32(1), shall:

    1. designate the ICT third-party service providersan undertaking providing ICT services that are critical for financial entitiesas defined in Article 2, points (a) to (t), following an assessment that takes into account the criteria specified in paragraph 2;

    2. appoint as Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation for each critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31 the ESAEuropean Supervisory Authority that is responsible, in accordance with Regulations (EU) No 1093/2010, (EU), No 1094/2010 or (EU) No 1095/2010, for the financial entitiesas defined in Article 2, points (a) to (t) having together the largest share of total assets out of the value of total assets of all financial entitiesas defined in Article 2, points (a) to (t) using the services of the relevant critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31, as evidenced by the sum of the individual balance sheets of those financial entitiesas defined in Article 2, points (a) to (t).

  2. The designation referred to in paragraph 1, point (a), shall be based on all of the following criteria in relation to ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services provided by the ICT third-party service provideran undertaking providing ICT services:

    1. the systemic impact on the stability, continuity or quality of the provision of financial services in the event that the relevant ICT third-party service provideran undertaking providing ICT services would face a large scale operational failure to provide its services, taking into account the number of financial entitiesas defined in Article 2, points (a) to (t) and the total value of assets of financial entitiesas defined in Article 2, points (a) to (t) to which the relevant ICT third-party service provideran undertaking providing ICT services provides services;

    2. the systemic character or importance of the financial entitiesas defined in Article 2, points (a) to (t) that rely on the relevant ICT third-party service provideran undertaking providing ICT services, assessed in accordance with the following parameters:

      1. the number of global systemically important institutions (G-SIIs) or other systemically important institutions (O-SIIs) that rely on the respective ICT third-party service provideran undertaking providing ICT services;

      2. the interdependence between the G-SIIs or O-SIIs referred to in point (i) and other financial entitiesas defined in Article 2, points (a) to (t), including situations where the G-SIIs or O-SIIs provide financial infrastructure services to other financial entitiesas defined in Article 2, points (a) to (t);

    3. the reliance of financial entitiesas defined in Article 2, points (a) to (t) on the services provided by the relevant ICT third-party service provideran undertaking providing ICT services in relation to critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law of financial entitiesas defined in Article 2, points (a) to (t) that ultimately involve the same ICT third-party service provideran undertaking providing ICT services, irrespective of whether financial entitiesas defined in Article 2, points (a) to (t) rely on those services directly or indirectly, through subcontracting arrangements;

    4. the degree of substitutability of the ICT third-party service provideran undertaking providing ICT services, taking into account the following parameters:

      1. the lack of real alternatives, even partial, due to the limited number of ICT third-party service providersan undertaking providing ICT services active on a specific market, or the market share of the relevant ICT third-party service provideran undertaking providing ICT services, or the technical complexity or sophistication involved, including in relation to any proprietary technology, or the specific features of the ICT third-party service provider’s organisation or activity;

      2. difficulties in relation to partially or fully migrating the relevant data and workloads from the relevant ICT third-party service provideran undertaking providing ICT services to another ICT third-party service provideran undertaking providing ICT services, due either to significant financial costs, time or other resources that the migration process may entail, or to increased ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment or other operational risks to which the financial entity may be exposed through such migration.

  3. Where the ICT third-party service provideran undertaking providing ICT services belongs to a groupa group as defined in Article 2, point (11), of Directive 2013/34/EU, the criteria referred to in paragraph 2 shall be considered in relation to the ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services provided by the groupa group as defined in Article 2, point (11), of Directive 2013/34/EU as a whole.

  4. Critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31 which are part of a groupa group as defined in Article 2, point (11), of Directive 2013/34/EU shall designate one legal person as a coordination point to ensure adequate representation and communication with the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation.

  5. The Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation shall notify the ICT third-party service provideran undertaking providing ICT services of the outcome of the assessment leading to the designation referred in paragraph 1, point (a). Within 6 weeks from the date of the notification, the ICT third-party service provideran undertaking providing ICT services may submit to the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation a reasoned statement with any relevant information for the purposes of the assessment. The Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation shall consider the reasoned statement and may request additional information to be submitted within 30 calendar days of the receipt of such statement.

    After designating an ICT third-party service provideran undertaking providing ICT services as critical, the ESAsEuropean Supervisory Authority, through the Joint Committeethe committee of the EBA, EIOPA and ESMA, shall notify the ICT third-party service provideran undertaking providing ICT services of such designation and the starting date as from which they will effectively be subject to oversight activities. That starting date shall be no later than one month after the notification. The ICT third-party service provideran undertaking providing ICT services shall notify the financial entitiesas defined in Article 2, points (a) to (t) to which they provide services of their designation as critical.

  6. The Commission is empowered to adopt a delegated act in accordance with Article 57 to supplement this Regulation by specifying further the criteria referred to in paragraph 2 of this Article, by 17 July 2024.

  7. The designation referred to in paragraph 1, point (a), shall not be used until the Commission has adopted a delegated act in accordance with paragraph 6.

  8. The designation referred to in paragraph 1, point (a), shall not apply to the following:

    1. financial entitiesas defined in Article 2, points (a) to (t) providing ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services to other financial entitiesas defined in Article 2, points (a) to (t);

    2. ICT third-party service providersan undertaking providing ICT services that are subject to oversight frameworks established for the purposes of supporting the tasks referred to in Article 127(2) of the Treaty on the Functioning of the European Union;

    3. ICT intra-group service providersan undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control;

    4. ICT third-party service providersan undertaking providing ICT services providing ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services solely in one Member State to financial entitiesas defined in Article 2, points (a) to (t) that are only active in that Member State.

  9. The ESAsEuropean Supervisory Authority, through the Joint Committeethe committee of the EBA, EIOPA and ESMA, shall establish, publish and update yearly the list of critical ICT third-party service providersan ICT third-party service provider designated as critical in accordance with Article 31 at Union level.

  10. For the purposes of paragraph 1, point (a), competent authoritiesas defined in Article 46 shall, on a yearly and aggregated basis, transmit the reports referred to in Article 28(3), third subparagraph, to the Oversight Foruma sub-committee of the Joint Committee for the purposes of supporting the work of the Joint Committee and of the Lead Overseer in the area of ICT third-party risk across financial sectors established pursuant to Article 32. The Oversight Foruma sub-committee of the Joint Committee for the purposes of supporting the work of the Joint Committee and of the Lead Overseer in the area of ICT third-party risk across financial sectors shall assess the ICT third-party dependencies of financial entitiesas defined in Article 2, points (a) to (t) based on the information received from the competent authoritiesas defined in Article 46.

  11. The ICT third-party service providersan undertaking providing ICT services that are not included in the list referred to in paragraph 9 may request to be designated as critical in accordance with paragraph 1, point (a).

    For the purpose of the first subparagraph, the ICT third-party service provideran undertaking providing ICT services shall submit a reasoned application to EBA, ESMA or EIOPA, which, through the Joint Committeethe committee of the EBA, EIOPA and ESMA, shall decide whether to designate that ICT third-party service provideran undertaking providing ICT services as critical in accordance with paragraph 1, point (a).

    The decision referred to in the second subparagraph shall be adopted and notified to the ICT third-party service provideran undertaking providing ICT services within 6 months of receipt of the application.

  12. Financial entitiesas defined in Article 2, points (a) to (t) shall only make use of the services of an ICT third-party service provider established in a third countryan ICT third-party service provider that is a legal person established in a third-country and that has entered into a contractual arrangement with a financial entity for the provision of ICT services and which has been designated as critical in accordance with paragraph 1, point (a), if the latter has established a subsidiarya subsidiary undertaking within the meaning of Article 2, point (10), and Article 22 of Directive 2013/34/EU in the Union within the 12 months following the designation.

  13. The critical ICT third-party service provideran ICT third-party service provider designated as critical in accordance with Article 31 referred to in paragraph 12 shall notify the Lead Overseerthe European Supervisory Authority appointed in accordance with Article 31(1), point (b) of this Regulation of any changes to the structure of the management of the subsidiarya subsidiary undertaking within the meaning of Article 2, point (10), and Article 22 of Directive 2013/34/EU established in the Union.