On 4 January 2023 the European Banking Authority (EBA) published a letter from the European Commission (“the Commission”) to the European Supervisory Authorities (ESAs) requesting advice on designation criteria and fees for the oversight framework for critical third-party service providers set out under Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA). Together with the letter, the EBA published the content of the Call for Technical Advice, which sets out in more detail the scope of the advice requested by the Commission. As per the mandate set out in DORA, the ESAs are requested to deliver technical advice on two delegated acts:
- Delegated act specifying the amount of fees to be collected from critical third-party service providers; and
- Delegated act specifying the criteria for assessing criticality. In respect of this delegated act the ESAs are requested to specify the relevant indicators of a qualitative and quantitative nature of each of the four criteria to determine criticality of third-party service providers as set out in DORA and including:
- The systemic impact on the stability, continuity or quality of the provision of financial services in the event that a critical third-party service provider would face a large-scale operational failure to provide its services;
- The systemic character or importance of the financial entities that rely on a critical third-party service provider;
- The reliance of financial entities on the services provided by a critical third-party service provider; and
- The degree of substitutability of a critical third-party service provider.
The deadline for the ESAs to deliver the technical advice is 30 September 2023. DORA will become applicable on 17 January 2025.