Source: OJ L, 2024/1502, 30.5.2024Current language: EN
- Digital operational resilience in the financial sector
Oversight framework
- Criteria for designating critical service providers
Article 5 Degree of substitutability
Summary What does Article 5 of the Criteria for designating critical service providers say?
This article addresses the criticality designation criterion concerning the substitutability of an ICT third-party service provider — that is, how replaceable it is.
It follows the same two-step assessment structure established in Article 1, directing the ESAs to first test whether a provider crosses a measurable threshold of irreplaceability or migration difficulty, and then, if that threshold is met, to move to a deeper qualitative assessment drawn directly from DORA itself.
The two step 1 sub-criteria focus on the proportion of financial entities that either lack a viable alternative provider or would find it highly difficult to migrate away from the current one.
Important points:
- The ESAs are required to assess substitutability by measuring the share of financial entities per category that have no adequate alternative provider available, and separately, those for which migration would be highly difficult.
- The 10% threshold applies: an ICT third-party service provider clears the step 1 hurdle if either of those shares reaches at least 10% within any single category of financial entities.
- If the step 1 threshold is met, the ESAs must then apply the step 2 sub-criterion referenced directly in Article 31(2), point (d)(i) of DORA, rather than one defined within this act.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
When considering the criterion set out in Article 31(2), point (d), of Regulation (EU) 2022/2554, the ESAs shall assess whether the ICT third-party service provider fulfils the following ‘step 1’ sub-criteria:
sub-criterion 4.1: the share of the total number of financial entities, broken down by categories of financial entities as set out in Article 2(1) of Regulation (EU) 2022/2554, for which no alternative ICT third-party service provider is available which has the required capacity to provide the same ICT services that support critical or important functions of financial entities as the one provided by the relevant ICT third-party service provider;
sub-criterion 4.2: the share of the total number of financial entities, broken down by categories of financial entities as set out in Article 2(1) of Regulation (EU) 2022/2554, for which it is highly difficult to migrate an ICT service provided by the relevant ICT third-party service provider that supports critical or important functions of financial entities to another ICT third-party service provider.
The sub-criterion 4.1 set out in paragraph 1, point (a), shall be calculated as follows:
number of financial entities of a category of financial entities as set out in
for which no alternative ICT third party service provider is available
which has the required capacity to provide the same ICT services
that support critical or important functions of financial entities
as the one provided by the relevant ICT third party service provider
total number of financial entities of that category of financial entities
as set out in Article 2(1)of Regulation 2022/2554
The sub-criterion set out in paragraph 1, point (b), shall be calculated as follows:
number of financial entities of a category of financial entities as set out in
for which it is highly difficult to migrate or reintegrate an ICT service provided
by the ICT third party provider that support
critical or important functions to another ICT third party provider
total number of EU financial entities of that category of financial entities
as set out in Article 2(1) of Regulation (EU) 2022/2554
An ICT third-party service provider shall be considered as having fulfilled both sub-criteria 4.1 and 4.2 where either of the following is met:
the share of the total number of financial entities referred to in paragraph 1, point (a), is of at least 10 % of the total number of financial entities for a category of financial entities as set out in Article 2(1) of Regulation (EU) 2022/2554;
the share of the total number of financial entities referred to in paragraph 1, point (b), is of at least 10 % of the total number of financial entities or a category of financial entities as set out in Article 2(1) of Regulation (EU) 2022/2554.
When considering the criterion set out in Article 31(2), point (d), of Regulation (EU) 2022/2554 and where the ICT third-party service provider fulfils the ‘step 1’ sub-criteria referred to in paragraph 1 of this Article, the ESAs shall carry out their assessment in the light of the step two sub-criterion specified in Article 31(2), point (d)(i) of Regulation (EU) 2022/2554.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
ICT third-party service provider
Definition
ICT services
Definition
critical or important function