ESAs launch discussion on criteria for critical ICT third-party service providers and oversight fees

The ESAs have published a joint Discussion Paper on the criteria for CTPPs and the oversight fees to be imposed on them. This paper is a response to a request for technical advice from the EC regarding the DORA.
The DORA aims to establish a comprehensive framework for the digital operational resilience of the financial sector, including enhanced ICT risk management and testing rules for ICT systems, as well as Union oversight of critical ICT third-party service providers.
The Discussion Paper is divided into two parts:
The first part proposes criteria for assessing the critical nature of ICT third-party service providers. It suggests various quantitative and qualitative indicators for each criterion, along with the necessary information to construct these indicators. The aim is to identify indicators relevant to assessing criticality, although the methodology for the assessment itself is not covered in this paper.
The second part of the paper focuses on the fees levied on CTPPs and their payment methods. It discusses the types of expenditure that should be covered by the fees and proposes a method for determining the applicable turnover of CTPPs, which would form the basis for fee calculation. The ESAs also seek input on the fee calculation method and practical issues related to fee payment.
The feedback collected through this consultation will shape the delegated acts that will further specify the criteria for critical ICT third-party service providers, and determine the oversight fees under the DORA.
Comments to this Discussion Paper may be sent to the ESAs via EUSurvey no later than 23 June 2023. All contributions received will be published following the end of the consultation period, unless requested otherwise.