Are You a DORA Critical ICT Third-Party Service Provider (CTPP)?

Visual-Portada-DORA-Critical-Third-Party

Following the implementation of the Digital Operational Resilience Act (DORA), ICT third-party service providers (ICT TPPs) need to know whether they are likely to be considered critical to the European Union financial sector.

CTPP: Critical ICT Third-Party Service Provider. An important DORA definition.

ICT TPP: An undertaking providing ICT services.

This article, created with insights from SECFORCE DORA experts Nikos Vassakis and Jonathan Adie, breaks down the legalistic text within the Regulation (and supplementary documentation) to give you an easy-to-understand guide to whether an ICT third-party service provider is likely to be considered critical.


Who/What Is a Critical Third-Party Service Provider (CTPPs)?

There are two paths for ICT TPPs to be considered critical.

An essential requirement for ICT TPPs to be considered critical is that they must provide ICT services that support critical or important functions to at least 10% of the financial entities for any given category (as defined in DORA).

“Critical or important functions” refer to functions whose discontinued, defective, or failed performance would materially impair the financial entity.

Several other criteria must also be met (as outlined in this article), but this fundamental requirement will help some ICT TPPs quickly determine whether they are likely to be considered critical.

CTPPs incur additional oversight rules, costs, and required changes to activities; both the CTPP and financial entity would be directly impacted. Financial entities would be taking on the legal responsibility of any consequences of risk introduced by the CTPP.

Financial entities need to know whether they are using the services of a CTPP. It is important to remember that their risks are your risks.


Who Is Not a CTPP?

The following are not considered to be CTPPs:


How Do You Know If an ICT Third-Party Service Provider Is “Critical”?

Under DORA Article 31, a Joint Committee and Oversight Forum sub-committee comprising members of European Supervisory Authorities and competent authorities from each Member State will be responsible for designating CTPPs.

DORA uses a two-step approach to assess if an ICT TPP is critical before carrying out any oversight activities.

An ICT TPP must fulfil both steps to be considered critical.

Step 1. Do ALL of the following criteria apply to you?

To be considered critical, an ICT TPP needs to meet all of the following sub-criteria (taken from Articles 2(1), 3(1), and 5(1) of DORA supplemental documentation).

Please check the latest additions to the DORA legal text for exact definitions and links to supporting EU regulations.

Could the failure of the ICT third-party provider create a systemic impact on the stability, continuity or quality of the provision of financial services? [Article 2(1)]

Would a major failure of the ICT TPP affect the stability and continuity of financial services of 10% or more of any individual category of financial entities?

DORA provides two calculations which must be used to figure this out.

The ESA will apply both sub-criteria to the third party; it is not either/or. They will only progress to carrying out the "step 2" sub-criteria if both "step 1" sub-criteria are at least 10% or more.

Both are designed to help calculate the percentage of potential losses to the sector your financial entity operates in (for example, credit institutions, banks, etc.) if the ICT TPP in question were to fail.

The first calculation is:

The number of financial entities in a category as set out in Article 2(1) of Regulation (EU) 2022/2554, to which ICT services are provided by the same ICT third-party services provider where the ICT services support critical or important functions of financial entities.

/ (Divided by)

The total number of financial entities of a category of financial entities as set out in Article 2 (1) of Regulation (EU) 2022/2554.

Calculation 1

The second calculation is:

The total value of assets of financial entities of a category of financial entities as set out in Article 2(1) of Regulation (EU) 2022/2554, to which ICT services are provided by the same ICT third-party provider where the ICT services support critical or important functions of financial entities

/ (Divided by)

The total value of assets of all EU financial entities of the same category as set out in Article 2(1) of Regulation (EU) 2022/2554.

Calculation 2

To be considered a critical third party, both of these calculations must result in an answer equal to or above 10%.


Do “systemically important financial institutions” rely on the ICT third-party provider for critical services? [Article 3(1)]

This is a two-part question that is divided into:

How many global systemically important institutions (G-SIIs) or other systemically important institutions (O-SIIs) that are credit institutions are using a service provided by the same ICT third-party service provider to support critical/important functions?

An ICT TPP will be deemed critical if its services are used by at least either of the following:

(a) one G-SII;

(b) at least three O-SIIs;

(c) at least one O-SII with an O-SII score above 3,000 calculated in accordance with Article 131(3) of Directive 2013/36/EU

Note: O-SIIs are identified based on their importance for the Union's economy or the relevant Member State, their significance for cross-border activities, and their interconnection (as an institution or group) with the financial system.

And

How many financial entities, other than credit institutions and G-SIIs and O-SIIs, identified as systemic by competent authorities referred to under Article 46 of Regulation (EU) 2022/2554 are using a service provided by the same ICT third-party service provider to support critical/important functions?

An ICT TPP will be deemed critical if its services are used by at least either of the following:


How difficult is it for entities in the same category to substitute an alternative provider to perform the same service? [Article 5(1)]

The EU wants to see whether or not financial entities that rely on the ICT TPP for critical or important functions (i.e., functions without which their business could potentially fail) could migrate to a different provider.

It does not matter whether a financial entity relies on those services directly or indirectly (through subcontracting arrangements).

This is assessed through two different calculations:

The first calculation is:

Number of financial entities of a category of financial entities for which no alternative ICT third−party service provider is available which has the required capacity to provide the same ICT services that supports critical or important functions of financial entities as the one provided by the relevant ICT third-party service provider

/ (Divided by)

Total number of financial entities of that category of financial entities

The second calculation:

The number of financial entities of a category of financial entities for which it is highly difficult to migrate or reintegrate an ICT service provided by the ICT third-party provider that support critical or important functions to another ICT third-party provider

/ (Divided by)

The total number of EU financial entities of that category of financial entities.

To qualify as a critical service provider, the answer to both of these questions needs to be equal to or above 10%.


Step 2. Do ALL of these apply to you?

Once an ICT TPP provider meets all of the criteria in step 1 of the assessment, the ESA will move on to step 2.

The subcriteria explaining these tests is available under articles 2(5), 3(4), 4(1), and 5(5).

How intense would discontinuing the service be, and how dependent is the provider itself on subcontractors? [Article 2(5)]

This is a two-part question that is divided into:

(a) How intense would the impact of discontinuing the ICT services provided by the third-party provider be?

And

(b) Does the critical ICT third-party service provider rely on the same subcontractors for its own ICT services?

In other words, is there a lack of alternative options to the ICT TPP?

Is the critical provider interdependent with the entity it works with? [Article 3(4)]

Is a service provider reliant on an entity for the service to function (or vice versa)? In other words, are both parties intrinsically linked, and would the failure of one lead to the failure of the other?

Does the ICT TPP support critical or important functions in a financial entity’s operation? [Article 4(1)]

For example:

What are the challenges around substitution? [Article 5(5)]

How easy is it to substitute an ICT third-party services provider?

This is calculated based on:

Ultimately, the result is decided based on costs incurred through capital requirements, time and resource requirements and potential risk increases due to migration.


Need Help Complying with DORA? SECFORCE Can Help

SECFORCE is a DORA consultancy firm with extensive experience helping financial service entities and businesses navigate compliance journeys like the ones they will encounter with DORA.

Contact us if you need help with your DORA compliance efforts.


References

Regulation (EU) 2022/2554 - Publications Office: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022R2554

Document 32024R1502. Commission Delegated Regulation (EU) 2024/1502 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by specifying the criteria for the designation of ICT third-party service providers as critical for financial entities. https://eur-lex.europa.eu/eli/reg_del/2024/1502/oj

You may also be interested in...

Cover
June 18, 2024

Threat-Led Penetration Testing Explained

Insights from SECFORCE’s offensive security experts on what threat-led penetration testing is (and what it isn't)

See more
Visual
May 9, 2024

Why You Shouldn't Go for the Lowest Penetration Testing Quote

Our expert technical team explains why a low penetration testing quote can be dangerous and even more expensive at the end.

See more