Source: OJ L, 2024/1502, 30.5.2024

Current language: EN

Article 1 Assessment approach


Summary What does Article 1 of this act say?

This is a foundational procedural article that establishes the two-step framework the European Supervisory Authorities (ESAs) must follow when deciding whether to designate an ICT third-party service provider as critical for financial entities.

It acts as the overarching methodology article, directing readers to the specific criteria contained in Articles 2 through 5.

The article also sets out the formal conditions under which the ESAs, acting through the Joint Committee on the recommendation of the Oversight Forum, can make a final designation — and includes a specific derogation for one of the four criteria drawn from Article 31(2) of DORA.

Important points:

  • The ESAs are required to apply a two-step assessment process: first checking whether quantitative threshold sub-criteria are met, then conducting a broader qualitative assessment.
  • A provider can only be formally designated as critical if it passes both steps, with the designation made through the Joint Committee upon recommendation from the Oversight Forum.
  • One criterion (criterion (c) of Article 31(2) of DORA) has no standalone first step — it is covered by the assessments conducted for the other three criteria.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. When considering the criteria set out in Article 31(2) of Regulation (EU) 2022/2554 to designate an ICT third-party service provider that is critical for financial entities, the ESAs shall apply the following approach:

      1. as a first step, the ESAs shall assess whether the ICT third-party service provider fulfils all of the ‘step 1’ sub-criteria set out in Articles 2(1), 3(1), and 5(1);

      2. as a second step, for those ICT third-party service providers that fulfil all of the ‘step 1’ sub-criteria referred to in point (a), the ESAs shall carry out their assessment in the light of the ‘step 2’ sub-criteria referred to in Articles 2(5), 3(4), 4(1), and 5(5).

    2. By way of derogation from the first sub paragraph, for the assessment of the criterion (c) of Article 31(2) of Regulation (EU) 2022/2554, the first step shall be covered by the assessment to be carried out for the criteria (a), (b) and (d) of Article 31(2) of Regulation (EU) 2022/2554.

    1. After the end of the time period for the submission of a reasoned statement referred to in Article 31(5), first subparagraph, of Regulation (EU) 2022/2554, the ESAs, through the Joint Committee and upon recommendation from the Oversight Forum, shall designate an ICT third-party service provider as critical for financial entities if it fulfils all the ‘step 1’ sub-criteria referred to in paragraph 1, point (a), and following a positive outcome of the assessment carried out in relation to the ‘step 2’ sub-criteria referred to in paragraph 1, point (b).

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod