Article 1 Assessment approach

1. as a first step, the ESAsEuropean Supervisory Authority shall assess whether the ICT third-party service provider means an undertaking providing ICT services; fulfils all of the ‘step 1’ sub-criteria set out in Articles 2(1), 3(1), and 5(1);

2. as a second step, for those ICT third-party service providers means an undertaking providing ICT services; that fulfil all of the ‘step 1’ sub-criteria referred to in point (a), the ESAsEuropean Supervisory Authority shall carry out their assessment in the light of the ‘step 2’ sub-criteria referred to in Articles 2(5), 3(4), 4(1), and 5(5).

By way of derogation from the first sub paragraph, for the assessment of the criterion (c) of Article 31(2) of Regulation (EU) 2022/2554, the first step shall be covered by the assessment to be carried out for the criteria (a), (b) and (d) of Article 31(2) of Regulation (EU) 2022/2554.

After the end of the time period for the submission of a reasoned statement referred to in Article 31(5), first subparagraph, of Regulation (EU) 2022/2554, the ESAsEuropean Supervisory Authority, through the Joint Committee means the committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010; and upon recommendation from the Oversight Foruma sub-committee of the Joint Committee for the purposes of supporting the work of the Joint Committee and of the Lead Overseer in the area of ICT third-party risk across financial sectors, shall designate an ICT third-party service provider means an undertaking providing ICT services; as critical for financial entitiesas defined in Article 2, points (a) to (t) if it fulfils all the ‘step 1’ sub-criteria referred to in paragraph 1, point (a), and following a positive outcome of the assessment carried out in relation to the ‘step 2’ sub-criteria referred to in paragraph 1, point (b).