Art. 1 Assessment approach | Criteria for designating critical service providers | DORA

1. When considering the criteria set out in Article 31(2) of Regulation (EU) 2022/2554 to designate an ICT third-party service providermeans an undertaking providing ICT services; that is critical for financial entities, the ESAs shall apply the following approach:
  1. as a first step, the ESAs shall assess whether the ICT third-party service providermeans an undertaking providing ICT services; fulfils all of the ‘step 1’ sub-criteria set out in Articles 2(1), 3(1), and 5(1);
  2. as a second step, for those ICT third-party service providersmeans an undertaking providing ICT services; that fulfil all of the ‘step 1’ sub-criteria referred to in point (a), the ESAs shall carry out their assessment in the light of the ‘step 2’ sub-criteria referred to in Articles 2(5), 3(4), 4(1), and 5(5).
2. By way of derogation from the first sub paragraph, for the assessment of the criterion (c) of Article 31(2) of Regulation (EU) 2022/2554, the first step shall be covered by the assessment to be carried out for the criteria (a), (b) and (d) of Article 31(2) of Regulation (EU) 2022/2554.
1. After the end of the time period for the submission of a reasoned statement referred to in Article 31(5), first subparagraph, of Regulation (EU) 2022/2554, the ESAs, through the Joint Committeemeans the committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010; and upon recommendation from the Oversight Forum, shall designate an ICT third-party service providermeans an undertaking providing ICT services; as critical for financial entities if it fulfils all the ‘step 1’ sub-criteria referred to in paragraph 1, point (a), and following a positive outcome of the assessment carried out in relation to the ‘step 2’ sub-criteria referred to in paragraph 1, point (b).