Source: OJ L, 2024/1502, 30.5.2024

Criteria for designating critical service providers

Commission Delegated Regulation (EU) 2024/1502

of 22 February 2024

supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council

by specifying the criteria for the designation of ICT third-party service providers as critical for financial entities

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011(¹)OJ L 333, 27.12.2022, p. 1, ELI: http://data.europa.eu/eli/reg/2022/2554/oj., and in particular Article 31(6) thereof,

Whereas:

Open full page

Recital 1 Designation procedure

To assess whether an ICT third-party service provider means an undertaking providing ICT services; is critical for financial entitiesas defined in Article 2, points (a) to (t), and taking into account the criteria set out in Article 31(2) of Regulation (EU) 2022/2554, the European Supervisory Authorities (ESAsEuropean Supervisory Authority) should use sub-criteria in a two-step approach assessment. Considering the important number of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; and the diversity and number of financial institutions using those services, such a two-step approach should be undertaken to filter the population of ICT third-party service providers means an undertaking providing ICT services; and identify the most critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;. The quantitative sub-criteria that are to be considered as part of the first step of the assessment are necessary to carry out a first selection of the population of ICT third-party service providers means an undertaking providing ICT services; for which it is relevant to carry out a further in-depth analysis in light of the qualitative sub-criteria that are to be considered as part of the second step of the assessment.

Recital 2 Importance of activities supported by ICT services

The extent to which an ICT service means an ICT service as defined in Article 2, point (13), of Regulation (EU) 2019/881; provided by an ICT third-party service provider means an undertaking providing ICT services; supports critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; is considered a crucial element of the criticality assessment in general. Therefore, the importance of the activities of the financial entitiesas defined in Article 2, points (a) to (t) that are supported by ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; should be integrated in all sub-criteria considered as part of the first step. Consequently, there should not be a distinct quantitative assessment related to the criticality of the functions of the financial entitiesas defined in Article 2, points (a) to (t) as part of the first step of the assessment. Instead, it is appropriate that the ESAsEuropean Supervisory Authority consider the criticality and importance of the functions of the financial entitiesas defined in Article 2, points (a) to (t) supported by ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; as part of the qualitative second step of the assessment.

Recital 3 Individual and group ICT third-party service providers and subcontractors

The assessment should be carried out per individual ICT third-party service provider means an undertaking providing ICT services; or, where applicable, per group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; of ICT third-party services providers means an undertaking providing ICT services; in case the ICT third-party service provider means an undertaking providing ICT services; belongs to a group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; as per Article 31(3) of Regulation (EU) 2022/2554. In order to enable a comprehensive assessment of the potential systemic impact on the Union financial sector, ICT subcontractors of ICT third-party service providers means an undertaking providing ICT services; should also be subject to the assessment by the ESAsEuropean Supervisory Authority, and where applicable, designated as critical ICT third-party service providers means an ICT third-party service provider designated as critical in accordance with Article 31;.

Recital 4 Systemic impact assessments

To determine the systemic impact of the ICT third-party service provider means an undertaking providing ICT services; on the stability, continuity or quality of the provision of financial services it is of paramount importance to develop a clear view on the extent and nature of systemic impact which a large-scale operational failure of an ICT third-party service provider means an undertaking providing ICT services; would have on financial entitiesas defined in Article 2, points (a) to (t), which rely on services provided by an ICT third-party service provider means an undertaking providing ICT services;, and on the financial system. Therefore, it is appropriate to consider the number of financial entitiesas defined in Article 2, points (a) to (t) of a specific category of financial entitiesas defined in Article 2, points (a) to (t) using the same ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;, as well as the value of their assets to assess whether it is relevant to consider the ICT third-party service provider means an undertaking providing ICT services; offering those ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; as critical. Furthermore, a qualitative assessment of the systemic importance and interconnectedness of ICT third-party service providers means an undertaking providing ICT services;, as well as the importance of the services provided by an ICT third-party provider on financial entitiesas defined in Article 2, points (a) to (t)’ provision of financial services taking into account the stability and the continuity of the services should be carried out to determine the systemic impact of the ICT third-party service provider means an undertaking providing ICT services; on the activities of financial entitiesas defined in Article 2, points (a) to (t).

Recital 5 Considering the nature of financial entities

To determine the systemic character and importance of the financial entitiesas defined in Article 2, points (a) to (t) relying on the ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;, it is necessary to take into account the nature of those financial entitiesas defined in Article 2, points (a) to (t). Where financial entitiesas defined in Article 2, points (a) to (t) that are classified as G-SIIs and O-SIIs or that are identified as ‘systemic’ rely on the same ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; to support their critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;, it is appropriate to assess whether the ICT third-party service provider means an undertaking providing ICT services; providing those services should be considered as critical for the Union financial sector. The interconnectedness between financial entitiesas defined in Article 2, points (a) to (t) within the Union financial sector that rely on ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; provided by the same ICT third-party service provider means an undertaking providing ICT services; should also be assessed to determine the reliance of financial entitiesas defined in Article 2, points (a) to (t) on that ICT third-party service provider means an undertaking providing ICT services;.

Recital 6 Critical or important functions

The ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; supporting critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; of the financial entitiesas defined in Article 2, points (a) to (t) should be assessed in respect of their type and critical nature that are necessary for the financial entitiesas defined in Article 2, points (a) to (t) to run their activities without any disruptions.

Recital 7 Degree of substitutability

To determine the degree of substitutability of the ICT third party service provider, it is necessary to take into account the number of ICT third-party service providers means an undertaking providing ICT services; active on a given market, the existence of alternative solutions for the same ICT service means an ICT service as defined in Article 2, point (13), of Regulation (EU) 2019/881;, as well as at the costs of migrating data and ICT workloads to other ICT third-party service providers means an undertaking providing ICT services; as part of the assessment to be carried out by the ESAsEuropean Supervisory Authority.

Recital 8 Sources of information for designation

In order to ensure the soundness of the assessment process, it is important that the ESAsEuropean Supervisory Authority rely on the data from the registers of information referred to in Article 28(3) of Regulation (EU) 2022/2554, and any other readily available information, when assessing whether the ICT third-party service providers means an undertaking providing ICT services; should be designated as critical,

HAS ADOPTED THIS REGULATION:

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 22 February 2024.

For the Commission

The President

Ursula VON DER LEYEN