Source: OJ L, 2024/1502, 30.5.2024

Current language: EN

Article 2 Systemic impact of ICT third-party service providers on the stability, continuity or quality of the provision of financial services

Summary What does Article 2 of the Criteria for designating critical service providers say?

This article operationalises the first of four criteria the ESAs must consider when assessing whether an ICT third-party service provider should be designated as critical, building directly on the two-step framework established in Article 1.

It sets out two quantitative step 1 sub-criteria — market share by number of financial entities served and by total asset value of those entities — along with precise calculation formulas for each.

A clear numerical threshold of 10% must be met for both measures across at least one category of financial entities before a provider clears the step 1 hurdle.

Only then do the ESAs proceed to the qualitative step 2 assessment, which looks at the severity of potential disruption and the provider's dependence on shared subcontractors.

Important points:

  • The ESAs are required to apply a 10% threshold to both the number of financial entities served and the total asset value of those entities, and both must be met for at least one category of financial entities to pass step 1.
  • The ESAs then assess two further qualitative sub-criteria at step 2: the impact intensity of a service discontinuation on financial entities, and the provider's reliance on common subcontractors for critical or important functions.
  • All calculations and assessments are broken down by categories of financial entities as defined in Article 2(1) of Regulation (EU) 2022/2554, meaning a provider could be captured under one category but not another.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. When considering the criterion set out in Article 31(2), point (a), of Regulation (EU) 2022/2554, the ESAs shall assess whether the ICT third-party service provider fulfils the following ‘step 1’ sub-criteria:

      1. sub-criterion 1.1: share of the number of financial entities, broken down by categories of financial entities as listed in Article 2(1) of Regulation (EU) 2022/2554, to which ICT services are provided by the same ICT third-party service provider where the ICT services support critical or important functions;

      2. sub-criterion 1.2: share of the total value of assets of financial entities, broken down by categories of financial entities as listed in Article 2(1) of Regulation (EU) 2022/2554, to which ICT services are provided by the same ICT third-party provider where the ICT services support critical or important functions of financial entities.

    1. The sub-criterion 1.1 set out in paragraph 1, point (a), shall be calculated as follows:

      number of financial entities of a category of financial entities

      as set out in Article 2(1) of Regulation (EU) 2022/2554,

      to which ICT services are provided by the same ICT third party services provider

      where the ICT services support critical or important functions of financial entities

      total number of financial entities of a category of financial entities

      as set out in Article 2(1) of Regulation (EU) 2022/2554

    1. The sub-criterion 1.2 set out in paragraph 1, point (b), shall be calculated as follows:

      total value of assets of financial entities of a category of financial entities

      as listed in Article 2(1) of Regulation (EU) 2022/2554,

      to which ICT services are provided by the same ICT third party provider

      where the ICT services support critical or important functions of financial entities

      total value of assets of all EU financial entities of the same category

      as set out in Article 2(1) of Regulation (EU) 2022/2554

    1. An ICT third-party service provider shall be considered as having fulfilled the ‘step 1’ sub-criteria referred to in paragraph 1 where both of the shares as calculated in accordance with paragraphs 2 and 3 are of at least 10 % of the total number for at least one category of financial entities as set out in Article 2(1) of Regulation (EU) 2022/2554.

    1. When considering the criterion set out in Article 31(2), point (a), of Regulation (EU) 2022/2554 and where the ICT third-party service provider fulfils the ‘step 1’ sub-criteria referred to in paragraph 1 of this Article, the ESAs shall carry out their assessment in the light of the following ‘step 2’ sub-criteria:

      1. sub-criterion 1.3: the intensity of the impact of discontinuing the ICT services provided by the ICT third-party service provider on the activities and operations of financial entities identified in the ‘step 1’ sub-criteria referred to in paragraph 1 of this Article and the number of those financial entities affected;

      2. sub-criterion 1.4: the dependence of the critical ICT third-party service provider on the same subcontractors providing ICT services supporting critical or important functions of financial entities.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod