Article 28 Digital Operational Resilience Act (DORA), Designation of Critical ICT Third-Party Service Providers

Article 28 of the Digital Operational Resilience Act (DORA) focuses on the designation of critical ICT third-party service providers. The European Supervisory Authorities (ESAs), through their Joint Committee and based on recommendations from the Oversight Forum, are responsible for identifying these providers. The designation process considers specific criteria, with the intent of safeguarding the stability, continuity, and quality of financial services across the EU.

Designation Process and Criteria

The ESAs, after consulting the Oversight Forum, designate critical ICT third-party service providers by evaluating the systemic impact of potential operational failures, the importance of financial entities dependent on these providers, and the degree of reliance on the provider for critical functions. The process also assesses the substitutability of the provider, considering market share, technical complexity, and potential difficulties in migrating to alternative providers. The geographical reach of the provider, both in terms of the number of EU Member States it operates in and the Member States where its client financial entities are active, is also a factor.

Role of the Lead Overseer

Once a critical ICT third-party provider is designated, the ESAs appoint a Lead Overseer—either the European Banking Authority (EBA), European Securities and Markets Authority (ESMA), or European Insurance and Occupational Pensions Authority (EIOPA). The choice depends on which financial sector is most affected by the provider's services, as determined by the total value of assets managed by financial entities relying on the provider.

Supplementary Delegated Acts

The European Commission is empowered to adopt delegated acts to refine the criteria used for designating critical ICT third-party providers. However, the designation mechanism cannot be applied until such delegated acts are adopted.

Exemptions and Oversight

ICT third-party providers already subject to oversight frameworks under Article 127(2) of the Treaty on the Functioning of the European Union are exempt from this designation process. Furthermore, the ESAs, through their Joint Committee, are tasked with annually updating and publishing a list of critical ICT third-party service providers at the Union level.

Reporting and Monitoring

To facilitate this process, competent authorities are required to submit yearly and aggregated reports on ICT third-party dependencies to the Oversight Forum. The Forum then assesses these dependencies and provides the necessary data for the designation process.

Voluntary Inclusion in the List

ICT third-party providers not initially designated as critical can request inclusion in the list by submitting a reasoned application to the ESAs. The decision to include them must be made within six months and is communicated to the provider accordingly.

Restrictions on Third-Country Providers

Financial entities are prohibited from using ICT third-party providers established in non-EU countries if those providers would be designated as critical had they been established within the Union. This restriction is aimed at ensuring that all critical ICT services providers operate under the same regulatory oversight and standards, thereby enhancing the overall resilience of the financial system within the EU.