On 26 May 2023, the European Supervisory Authorities^[1] (‘ESAs’) published a joint Discussion Paper addressing certain aspects of DORA^[2], i.e. the criteria for critical third-party service providers (CTPPs) and oversight fees to be collected from CTPPs.

The Discussion Paper is divided into two parts. The first part concerns the criteria to be considered by the ESAs when assessing the key nature of third-party providers of ICT services (Article 31(2) of DORA). A series of quantitative and qualitative indicators have been proposed for each criterion, together with information necessary to design such indicators. The other part of the Paper sets out proposals on the amount of fees charged for the oversight of CTPPs (Article 43 of DORA) and how the fees are to be paid.

Market participants may express their opinions on the topics covered by the Discussion Paper. Comments may be sent by 23 June 2023, using a form available on ESAs’ websites.

The opinions submitted will be considered by ESAs when preparing a joint technical advice for the European Commission.

More details and the Discussion Paper can be found here:

https://www.eba.europa.eu/esas-launch-discussion-criteria-critical-ict-third-party-service-providers-and-oversight-fees

^[1] European Securities and Markets Authority (ESMA), European Banking Authority (EBA) and European Insurance and Occupational Pensions Authority (EIOPA).

^[2] Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011.