Details
- Publication date
- 29 September 2023
Description
In light of the two delegated acts envisaged in the Regulation on Digital Operational Resilience for the Financial Sector (DORA), the European Commission has requested the ESAs’ technical advice to further specify the criteria for critical ICT third-party service providers (CTPPs) and determine the fees levied on such providers1. This report sets out the advice of the ESAs in response to this request.
The first part of the report proposes a number of relevant quantitative and qualitative indicators for each of the criticality criteria, along with the necessary information to build up and interpret such indicators. Moreover, a number of minimum relevance thresholds are proposed for the quantitative indicators, where possible and applicable. These minimum relevance thresholds should not be understood as triggers of criticality but a minimum requirement above which the criticality assessment could be carried out. Details of the designation procedure as well as the related methodology are explicitly excluded from this report and shall be defined no later than six months after the adoption of the delegated act by the Commission2, also in the context of the implementation of the oversight framework.
The second part of the report proposes the necessary types of expenditure that shall be covered by oversight fees, the appropriate method, basis and available information for determining the applicable turnover of the CTPPs (which will form the basis of fee calculation) as well as the method of fee calculation and other practical issues regarding the payment of fees.