Last 16 November the Commission launched a 4-week have your say feedback on two delegated regulations to be adopted by the Commission under Regulation (EU) 2022/2554 specifying the rules on digital operational resilience for the financial sector (DORA). These delegated regulations are the first of a series of delegated acts to complement and complete the EU regulatory framework on cybersecurity matters for the financial sector, that will apply from 17 January 2025.
To address potential systemic and concentration risks posed by the financial sectors’ reliance on a small number of third-party providers of information communication technology (ICT) services, DORA introduces a Union oversight framework for ICT third-party service providers deemed critical (CTPPs) and empowers the Commission to further
- specify the criteria for determining whether a third-party provider of ICT services is critical for the financial sector (e.g. degree of systemic impact if a TPP were to suffer a large-scale operational failure, degree to which systemically important financial institutions rely on ICT services provided by the TPP etc.)
- furthermore, to ensure that the overseers have the necessary resources to effectively carry on the oversight tasks, DORA empowers them to charge fees to each designated CTPP to cover all the expenditure incurred in relation to the conduct of oversight tasks
The two delegated acts published cover these two DORA objectives.
The deadline for providing your feedback is 14 December 2023.