The three European Supervisory Authorities (European Banking Authority, European Insurance and Occupational Pensions Authority and European Securities and Markets Authority – the ESAs) published an indicative overview of information and communication technology (ICT) third-party providers (TTP) as part of their preparations for the Digital Operational Resilience Act (DORA).
The analysis aims to map the provision of ICT services by TPPs to financial entities in the European Union (EU) and to support the ESAs’ policy making process in light of the European Commission’s call for advice to further specify the criteria for critical ICT TPPs and to determine oversight fees.
The data collection exercise was the first of its kind, covering ICT-related contractual arrangements for entities across the financial sector. Overall, the exercise has identified around 15,000 ICT TPPs directly serving financial sector entities across the EU. It has found that the most frequently used ICT TPPs support critical or important functions for their clients in a wide range of services. In addition, most critical services were classified as non-substitutable by financial institutions.
The EU financial entities comprise not just signatories to a given contract with an ICT TPP, but all Entities Making use of the Contract (EMCs). In other words, to avoid potential ambiguity, the term “EMCs” refers to all financial entities that have the right to use an ICT service provided by an ICT TPP under the terms of a given contract.
The data collection exercise has also revealed some valuable lessons for the implementation of DORA. For instance, it has underlined the importance of ensuring that financial entities provide unique identifiers in the data submitted and the need to develop an appropriate ICT services taxonomy.