Art. 3 Systemic character and importance of the ICT services provided to financial entities | Criteria for designating critical service providers | DORA

This article sets out the specific sub-criteria the ESAs must apply when assessing an ICT third-party service provider against the systemic importance criterion of Article 31(2)(b) of DORA.

Following the two-step framework established in Article 1, it focuses on whether a provider serves systemically important financial institutions — namely G-SIIs, O-SIIs, and other financial entities identified as systemic by competent authorities.

The step 1 sub-criteria establish precise numerical thresholds that trigger further scrutiny, while the step 2 sub-criterion looks at whether those systemically important clients are interdependent with one another through their shared reliance on the same ICT provider.

Important points:

The ESAs are required to assess whether an ICT third-party service provider crosses defined thresholds of exposure to systemically important institutions, such as serving at least one G-SII, at least three O-SIIs, or one O-SII with a score above 3,000.
The step 1 thresholds also extend beyond credit institutions to other categories of systemic financial entities identified by competent authorities, ensuring broader coverage across the financial sector.
If step 1 thresholds are met, the ESAs must then assess the interdependence of those systemic clients, including where they provide financial infrastructure services to other financial entities using the same ICT provider.

1. When considering the criterion set out in Article 31(2), point (b), of Regulation (EU) 2022/2554, the ESAs shall assess whether the ICT third-party service provider fulfils the following ‘step 1’ sub-criteria:
  1. sub-criterion 2.1: number of global systemically important institutions (G-SIIs) and other systemically important institutions (O-SIIs) that are credit institutions to which ICT services are provided by the same ICT third-party service provider where the ICT services support critical or important functions;
  2. sub-criterion 2.2: number of financial entities, other than credit institutions and G-SIIs and O-SIIs referred to in point (a) above, identified as systemic by competent authorities referred to under Article 46 of Regulation (EU) 2022/2554 to which ICT services are provided by the same ICT third-party service provider where the ICT services support critical or important functions.
1. An ICT third-party service provider shall be considered as having fulfilled the sub-criterion set out in paragraph 1, point (a), if the ICT services it provides are used at least by either of the following:
  1. one G-SII;
  2. at least three O-SIIs;
  3. at least one O-SII with an O-SII score above 3 000 calculated in accordance with Article 131(3) of Directive 2013/36/EU of the European Parliament and of the Council(²).
1. An ICT third-party service provider shall be considered as having fulfilled the sub-criterion set out in paragraph 1, point (b), if the ICT services that it provides are used at least by either of the following:
  1. one financial entity that is a financial entity as referred to in Article 2(1), points (g), (h), (i) or (j) of Regulation (EU) 2022/2554 and which is identified as ‘systemic’ by competent authorities;
  2. at least three financial entities, other than credit institutions and than financial entities referred to in Article 2(1), points (g), (h), (i) or (j) of Regulation (EU) 2022/2554 and which are identified as ‘systemic’ by competent authorities.
1. When considering the criterion set out in Article 31(2), point (b), of Regulation (EU) 2022/2554 and where the ICT third-party service provider fulfils the ‘step 1’ sub-criteria referred to in paragraph 1 of this Article, the ESAs shall carry out their assessment in the light of the following ‘step 2’ sub-criterion:
  1. sub-criterion 2.3: G-SIIs or O-SIIs and other financial entities included in the assessment in the ‘step 1’ sub criteria referred to in paragraph 1 of this Article, including where those G-SIIs or O-SIIs provide financial infrastructure services to other financial entities, relying on an ICT service provided by the same ICT third-party service provider, are interdependent.