Source: OJ L, 2024/1502, 30.5.2024

Current language: EN

Article 5 Degree of substitutability


Summary What does Article 5 of the Criteria for designating critical service providers say?

This article addresses the criticality designation criterion concerning the substitutability of an ICT third-party service provider — that is, how replaceable it is.

It follows the same two-step assessment structure established in Article 1, directing the ESAs to first test whether a provider crosses a measurable threshold of irreplaceability or migration difficulty, and then, if that threshold is met, to move to a deeper qualitative assessment drawn directly from DORA itself.

The two step 1 sub-criteria focus on the proportion of financial entities that either lack a viable alternative provider or would find it highly difficult to migrate away from the current one.

Important points:

  • The ESAs are required to assess substitutability by measuring the share of financial entities per category that have no adequate alternative provider available, and separately, those for which migration would be highly difficult.
  • The 10% threshold applies: an ICT third-party service provider clears the step 1 hurdle if either of those shares reaches at least 10% within any single category of financial entities.
  • If the step 1 threshold is met, the ESAs must then apply the step 2 sub-criterion referenced directly in Article 31(2), point (d)(i) of DORA, rather than one defined within this act.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. When considering the criterion set out in Article 31(2), point (d), of Regulation (EU) 2022/2554, the ESAs shall assess whether the ICT third-party service provider fulfils the following ‘step 1’ sub-criteria:

      1. sub-criterion 4.1: the share of the total number of financial entities, broken down by categories of financial entities as set out in Article 2(1) of Regulation (EU) 2022/2554, for which no alternative ICT third-party service provider is available which has the required capacity to provide the same ICT services that support critical or important functions of financial entities as the one provided by the relevant ICT third-party service provider;

      2. sub-criterion 4.2: the share of the total number of financial entities, broken down by categories of financial entities as set out in Article 2(1) of Regulation (EU) 2022/2554, for which it is highly difficult to migrate an ICT service provided by the relevant ICT third-party service provider that supports critical or important functions of financial entities to another ICT third-party service provider.

    1. The sub-criterion 4.1 set out in paragraph 1, point (a), shall be calculated as follows:

      number of financial entities of a category of financial entities as set out in

      for which no alternative ICT third party service provider is available

      which has the required capacity to provide the same ICT services

      that support critical or important functions of financial entities

      as the one provided by the relevant ICT third party service provider

      total number of financial entities of that category of financial entities

    1. The sub-criterion set out in paragraph 1, point (b), shall be calculated as follows:

      number of financial entities of a category of financial entities as set out in

      for which it is highly difficult to migrate or reintegrate an ICT service provided

      by the ICT third party provider that support

      critical or important functions to another ICT third party provider

      total number of EU financial entities of that category of financial entities

    1. An ICT third-party service provider shall be considered as having fulfilled both sub-criteria 4.1 and 4.2 where either of the following is met:

      1. the share of the total number of financial entities referred to in paragraph 1, point (a), is of at least 10 % of the total number of financial entities for a category of financial entities as set out in Article 2(1) of Regulation (EU) 2022/2554;

      2. the share of the total number of financial entities referred to in paragraph 1, point (b), is of at least 10 % of the total number of financial entities or a category of financial entities as set out in Article 2(1) of Regulation (EU) 2022/2554.

    1. When considering the criterion set out in Article 31(2), point (d), of Regulation (EU) 2022/2554 and where the ICT third-party service provider fulfils the ‘step 1’ sub-criteria referred to in paragraph 1 of this Article, the ESAs shall carry out their assessment in the light of the step two sub-criterion specified in Article 31(2), point (d)(i) of Regulation (EU) 2022/2554.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod