On 22 February 2024, the European Commission (Commission) adopted two Delegated Regulations supplementing the Regulation on digital operational resilience for the financial sector (DORA):
- Commission Delegated Regulation of 22 February 2024 supplementing DORA by determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third party service providers and the way in which those fees are paid. DORA introduces an EU oversight framework for ICT third-party service providers deemed critical (CTPPs). As Lead Overseers each of the three European Supervisory Authorities will have the power to monitor on a pan-European scale the activity of CTPPs in the context of their ICT services to the financial sector. To ensure that Lead Overseers have the necessary resources to effectively carry on the oversight tasks under DORA, Article 43 empowers them to charge fees to each designated CTPP to cover all the expenditure incurred by the Lead Overseers in relation to the conduct of oversight tasks. Article 43 empowers the Commission to adopt a delegated act to determine the amount of the fees and the way in which they are to be paid.
- Commission Delegated Regulation (EU) of 22 February 2024 supplementing DORA by specifying the criteria for the designation of ICT third-party service providers as critical for financial entities. Article 31(6) of DORA empowers the Commission to adopt a delegated act to further specify the criteria for the designation of ICT third-party service providers as critical.
Both Delegated Regulations enter into force on the twentieth day following their publication in the Official Journal of the EU. They shall be directly applicable in all Member States.