The three European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) have today published an indicative overview of information and communication technology (ICT) third-party providers (TTP) as part of their preparations for the Digital Operational Resilience Act (DORA). The analysis aims to map the provision of ICT services by TPPs to financial entities in the European Union and to support the ESAs’ policy making process in light of the European Commission’s call for advice to further specify the criteria for critical ICT TPPs and to determine oversight fees.
The data collection exercise on which the Report is based was the first of its kind, covering ICT-related contractual arrangements for entities across the financial sector. Overall, the exercise has identified around 15,000 ICT TPPs directly serving financial sector entities across the EU. It has found that the most frequently used ICT TPPs support critical or important functions for their clients in a wide range of services. In addition, most critical services were classified as non-substitutable by financial institutions.
The data collection exercise has also revealed some valuable lessons for the implementation of DORA. For instance, it has underlined the importance of ensuring that financial entities provide unique identifiers in the data submitted and the need to develop an appropriate ICT services taxonomy.
Legal basis and background
The ESAs, with the support of their respective competent authorities, agreed to carry out a data collection exercise on a sample of financial entities as part of their preparations for DORA. The results of the analysis are based on information provided on a best-effort basis by a broad sample of financial entities across the EU financial sector.