Source: OJ L, 2024/1502, 30.5.2024Current language: EN
- Digital operational resilience in the financial sector
Oversight framework
- Criteria for designating critical service providers
Article 1 Assessment approach
Summary What does Article 1 of this act say?
This is a foundational procedural article that establishes the two-step framework the European Supervisory Authorities (ESAs) must follow when deciding whether to designate an ICT third-party service provider as critical for financial entities.
It acts as the overarching methodology article, directing readers to the specific criteria contained in Articles 2 through 5.
The article also sets out the formal conditions under which the ESAs, acting through the Joint Committee on the recommendation of the Oversight Forum, can make a final designation — and includes a specific derogation for one of the four criteria drawn from Article 31(2) of DORA.
Important points:
- The ESAs are required to apply a two-step assessment process: first checking whether quantitative threshold sub-criteria are met, then conducting a broader qualitative assessment.
- A provider can only be formally designated as critical if it passes both steps, with the designation made through the Joint Committee upon recommendation from the Oversight Forum.
- One criterion (criterion (c) of Article 31(2) of DORA) has no standalone first step — it is covered by the assessments conducted for the other three criteria.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
When considering the criteria set out in Article 31(2) of Regulation (EU) 2022/2554 to designate an ICT third-party service provider that is critical for financial entities, the ESAs shall apply the following approach:
as a first step, the ESAs shall assess whether the ICT third-party service provider fulfils all of the ‘step 1’ sub-criteria set out in Articles 2(1), 3(1), and 5(1);
as a second step, for those ICT third-party service providers that fulfil all of the ‘step 1’ sub-criteria referred to in point (a), the ESAs shall carry out their assessment in the light of the ‘step 2’ sub-criteria referred to in Articles 2(5), 3(4), 4(1), and 5(5).
By way of derogation from the first sub paragraph, for the assessment of the criterion (c) of Article 31(2) of Regulation (EU) 2022/2554, the first step shall be covered by the assessment to be carried out for the criteria (a), (b) and (d) of Article 31(2) of Regulation (EU) 2022/2554.
After the end of the time period for the submission of a reasoned statement referred to in Article 31(5), first subparagraph, of Regulation (EU) 2022/2554, the ESAs, through the Joint Committee and upon recommendation from the Oversight Forum, shall designate an ICT third-party service provider as critical for financial entities if it fulfils all the ‘step 1’ sub-criteria referred to in paragraph 1, point (a), and following a positive outcome of the assessment carried out in relation to the ‘step 2’ sub-criteria referred to in paragraph 1, point (b).
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
ICT third-party service provider
Definition
Joint Committee
Definition
ICT services