Art. 5 Degree of substitutability | Criteria for designating critical service providers | DORA

1. When considering the criterion set out in Article 31(2), point (d), of Regulation (EU) 2022/2554, the ESAs shall assess whether the ICT third-party service providermeans an undertaking providing ICT services; fulfils the following ‘step 1’ sub-criteria:
  1. sub-criterion 4.1: the share of the total number of financial entities, broken down by categories of financial entities as set out in Article 2(1) of Regulation (EU) 2022/2554, for which no alternative ICT third-party service providermeans an undertaking providing ICT services; is available which has the required capacity to provide the same ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; that support critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; of financial entities as the one provided by the relevant ICT third-party service providermeans an undertaking providing ICT services;;
  2. sub-criterion 4.2: the share of the total number of financial entities, broken down by categories of financial entities as set out in Article 2(1) of Regulation (EU) 2022/2554, for which it is highly difficult to migrate an ICT service provided by the relevant ICT third-party service providermeans an undertaking providing ICT services; that supports critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; of financial entities to another ICT third-party service providermeans an undertaking providing ICT services;.

The sub-criterion 4.1 set out in paragraph 1, point (a), shall be calculated as follows:

number of financial entities of a category of financial entities as set out in

Article 2(1) of Regulation (EU) 2022/2554,

for which no alternative ICT third party service provider is available

which has the required capacity to provide the same ICT servicesmeans digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;

that support critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; of financial entities

as the one provided by the relevant ICT third party service provider

total number of financial entities of that category of financial entities

as set out in Article 2(1)of Regulation 2022/2554

The sub-criterion set out in paragraph 1, point (b), shall be calculated as follows:

number of financial entities of a category of financial entities as set out in

Article 2(1) of Regulation (EU) 2022/2554,

for which it is highly difficult to migrate or reintegrate an ICT service provided

by the ICT third party provider that support

critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; to another ICT third party provider

total number of EU financial entities of that category of financial entities

as set out in Article 2(1) of Regulation (EU) 2022/2554

1. An ICT third-party service providermeans an undertaking providing ICT services; shall be considered as having fulfilled both sub-criteria 4.1 and 4.2 where either of the following is met:
  1. the share of the total number of financial entities referred to in paragraph 1, point (a), is of at least 10 % of the total number of financial entities for a category of financial entities as set out in Article 2(1) of Regulation (EU) 2022/2554;
  2. the share of the total number of financial entities referred to in paragraph 1, point (b), is of at least 10 % of the total number of financial entities or a category of financial entities as set out in Article 2(1) of Regulation (EU) 2022/2554.
1. When considering the criterion set out in Article 31(2), point (d), of Regulation (EU) 2022/2554 and where the ICT third-party service providermeans an undertaking providing ICT services; fulfils the ‘step 1’ sub-criteria referred to in paragraph 1 of this Article, the ESAs shall carry out their assessment in the light of the step two sub-criterion specified in Article 31(2), point (d)(i) of Regulation (EU) 2022/2554.