Commission Delegated Regulation (EU) 2024/1502 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by specifying the criteria for the designation of ICT third-party service providers as critical for financial entities
Commission Delegated Regulation (EU) 2024/1502of 22 February 2024supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by specifying the criteria for the designation of ICT third-party service providers as critical for financial entities(Text with EEA relevance) THE EUROPEAN COMMISSION,Having regard to the Treaty on the Functioning of the European Union,Having regard to Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011OJ L 333, 27.12.2022, p. 1, ELI: http://data.europa.eu/eli/reg/2022/2554/oj., and in particular Article 31(6) thereof,Whereas:(1)To assess whether an ICT third-party service provider is critical for financial entities, and taking into account the criteria set out in Article 31(2) of Regulation (EU) 2022/2554, the European Supervisory Authorities (ESAs) should use sub-criteria in a two-step approach assessment. Considering the important number of ICT services and the diversity and number of financial institutions using those services, such a two-step approach should be undertaken to filter the population of ICT third-party service providers and identify the most critical ICT third-party service providers. The quantitative sub-criteria that are to be considered as part of the first step of the assessment are necessary to carry out a first selection of the population of ICT third-party service providers for which it is relevant to carry out a further in-depth analysis in light of the qualitative sub-criteria that are to be considered as part of the second step of the assessment.(2)The extent to which an ICT service provided by an ICT third-party service provider supports critical or important functions of the financial entity is considered a crucial element of the criticality assessment in general. Therefore, the importance of the activities of the financial entities that are supported by ICT services should be integrated in all sub-criteria considered as part of the first step. Consequently, there should not be a distinct quantitative assessment related to the criticality of the functions of the financial entities as part of the first step of the assessment. Instead, it is appropriate that the ESAs consider the criticality and importance of the functions of the financial entities supported by ICT services as part of the qualitative second step of the assessment.(3)The assessment should be carried out per individual ICT third-party service provider or, where applicable, per group of ICT third-party services providers in case the ICT third-party service provider belongs to a group as per Article 31(3) of Regulation (EU) 2022/2554. In order to enable a comprehensive assessment of the potential systemic impact on the Union financial sector, ICT subcontractors of ICT third-party service providers should also be subject to the assessment by the ESAs, and where applicable, designated as critical ICT third-party service providers.(4)To determine the systemic impact of the ICT third-party service provider on the stability, continuity or quality of the provision of financial services it is of paramount importance to develop a clear view on the extent and nature of systemic impact which a large-scale operational failure of an ICT third-party service provider would have on financial entities, which rely on services provided by an ICT third-party service provider, and on the financial system. Therefore, it is appropriate to consider the number of financial entities of a specific category of financial entities using the same ICT services, as well as the value of their assets to assess whether it is relevant to consider the ICT third-party service provider offering those ICT services as critical. Furthermore, a qualitative assessment of the systemic importance and interconnectedness of ICT third-party service providers, as well as the importance of the services provided by an ICT third-party provider on financial entities’ provision of financial services taking into account the stability and the continuity of the services should be carried out to determine the systemic impact of the ICT third-party service provider on the activities of financial entities.(5)To determine the systemic character and importance of the financial entities relying on the ICT services, it is necessary to take into account the nature of those financial entities. Where financial entities that are classified as G-SIIs and O-SIIs or that are identified as "systemic" rely on the same ICT services to support their critical or important functions, it is appropriate to assess whether the ICT third-party service provider providing those services should be considered as critical for the Union financial sector. The interconnectedness between financial entities within the Union financial sector that rely on ICT services provided by the same ICT third-party service provider should also be assessed to determine the reliance of financial entities on that ICT third-party service provider.(6)The ICT services supporting critical or important functions of the financial entities should be assessed in respect of their type and critical nature that are necessary for the financial entities to run their activities without any disruptions.(7)To determine the degree of substitutability of the ICT third party service provider, it is necessary to take into account the number of ICT third-party service providers active on a given market, the existence of alternative solutions for the same ICT service, as well as at the costs of migrating data and ICT workloads to other ICT third-party service providers as part of the assessment to be carried out by the ESAs.(8)In order to ensure the soundness of the assessment process, it is important that the ESAs rely on the data from the registers of information referred to in Article 28(3) of Regulation (EU) 2022/2554, and any other readily available information, when assessing whether the ICT third-party service providers should be designated as critical,HAS ADOPTED THIS REGULATION:
Loading ...