Home Knowledge How critical is critical? – ESAs publish technical advice on critical service provider designation under DORA

How critical is critical? – ESAs publish technical advice on critical service provider designation under DORA

October 5, 2023
Partner
John O’Connor
Partner
Shane Kelleher
Louise McNabola
Partner
Louise McNabola

The Digital Operational Resilience Act (DORA) – Information and Communication Technology (ITC) Service Providers

DORA is due to take effect in January 2025. The effect of DORA on ICT service providers goes to the heart of the third-party risk management objective of DORA. We discussed this from the financial entity’s point of view in a previous article.

Effect of “Critical” Designation

Under Article 31 of DORA, ICT third-party service providers may be deemed “critical” which brings them within the scope of DORA’s new oversight framework. This places one of the European Supervisory Authorities (the EBA, EIOPA and ESMA) (the “ESAs“) in the position of ‘Lead Overseer’ of that service provider, who will oversee the creation and administration of an oversight plan regarding that service provider. A designation of “critical” may be onerous for many service providers so the criterion for designation is paramount.

Designation Criteria

While DORA contains 4 overarching criteria, further detail is expected within a delegated act to be adopted by the European Commission. In December 2022, the European Commission requested that the ESAs provide technical advice on the criteria required for the designation of critical ICT third-party service providers. The ESAs, following a discussion period which occurred over late autumn, have published their joint technical advice dated 29 September 2023 (the Technical Advice) (accessible here). The Technical Advice informs the European Commission as to the appropriate contents of the delegated act. The delegated act is expected by January 2024, with a hard deadline within DORA of July 2024.

The Technical Advice

The Technical Advice adopts a two-step indicator-based approach to perform a multi-factor criticality assessment, based on the criteria established by DORA. The ESAs have included:

– 6 new quantitative indicators which include relevant minimum triggering thresholds; and
– 5 additional indicators which are to be used to allow the ESAs to engage in a more granular examination of service providers.

The new indicators require a consideration of the pan-European footprint of relevant service providers. How reliant the financial services sector, as a whole, is upon them will be too. This will have a particular focus on service providers supporting critical or important functions.

Unfortunately, the Technical Advice is not clear as to how these indicators are to be applied collectively in practice. The European Commission only requested advice on the relevant thresholds to be used. We can expect to see further detail on how the criteria and indicators will be applied within the European Commission’s draft delegated act.

Conclusion

The possible designation as ‘critical’ is a topic which will be closely watched by organisations including prominent cloud service providers who are providing critical or important services to financial services undertakings across the common market. More generally, DORA will affect financial entities caught directly within scope, but also the service providers who support those entities, be it directly or indirectly. With DORA due to take effect in January 2025, the time to think about compliance is now. If you wish to discuss any of the issues highlighted above, or want to reach out with a query, please contact any of the Key Contacts listed or your usual William Fry contact.

Contributed by
Conor Forde

Related Practice Areas
Fintech
Banking & Finance
Cyber Security
Related Sectors
Financial Services

Recommended Insights

See all
Article and Insights
9
Apr 2024
Central Bank Updates Approach to Authorising Payment Institutions / E-Money Institutions
We look at updates to the Central Bank's approach to authorising Payment and E-Mon...
WF_author_blank
Partner
Shane Kelleher
Article and Insights
12
Mar 2024
Food, Beverage & Agribusiness Podcast – Data Protection & Cyber Security
In this episode Laura considers how these issues have become an increasingly criti...
WF_author_blank
Associate
Laura Casey
Article and Insights
8
Mar 2024
Payments and E-Money Sector – Central Bank Event and Report
We look at key supervisory priorities for the payments and e-money sector based on...
WF_author_blank
Partner
Shane Kelleher
Article and Insights
2
Feb 2024
Digital Operational Resilience Act – second batch of technical standards launched for consultation
We focus on the second batch of draft implementation measures announced by the Eur...
WF_author_blank
Partner
John O’Connor
Article and Insights
21
Dec 2023
Administrative Sanctions Procedure Guidelines Now in Force
13 Dec 2023, the CBI published consolidated Guidelines relating to the enhanced Ad...
WF_author_blank
Partner
Shane Kelleher
Article and Insights
13
Nov 2023
Central Bank’s Thematic Review of Irish Insurers Highlights Importance of Cyber Security
We discuss the supervisory focus on cyber security, both at a domestic and Europea...
WF_author_blank
Partner
Eoin Caulfield
Article and Insights
14
Jul 2023
Sharing is Caring: The Financial Data Access Regulation
We look at the European Commission's new proposal for a framework to manage the sh...
WF_author_blank
Partner
John O’Connor
Article and Insights
29
Jun 2023
Enforcing DORA: £80k Fine for CIO’s Failed IT Migration
We look at DORA enforcement and the potential penalties involved, and we examine a...
WF_author_blank
Partner
John O’Connor
Article and Insights
26
Jun 2023
Digital Operational Resilience – Are you DORA ready?
In this follow-on article for our DORA series, we focus on the draft implementatio...
WF_author_blank
Partner
Shane Kelleher
Article and Insights
8
Jun 2023
Legal News – June 2023
Welcome to the June 2023 edition of Legal News. Here is a selection of our recent ...
prev
next
See all