European Commission Public Consultation on Two Delegated Acts under Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector

20 November 2023 – This Circular published by the Malta Financial Services Authority (the “MFSA” or “Authority”) supplements a circular published in January 2023 by the Authority titled Regulation (EU) 2022/2554 and Amending Directive (EU) 2022/2556 on Digital Operational Resilience for the Financial Sector Published on the EU Official Journal. Regulation (EU) 2022/2554 (“DORA”) was published on 27 December 2022 and entered into force on 17 January 2023. This Regulation provides a comprehensive legal framework addressing various core components of the digital operational resilience of financial entities. DORA enhances the overall conduct of ICT risk management, establishes testing rules for ICT systems and increases financial supervisors’ awareness of cyber risks through an EU harmonised incident reporting scheme.

In a bid to address potential systemic and concentration risks posed by the financial sectors’ reliance on a small number of ICT third-party service providers, DORA establishes an EU oversight framework for ICT third-party service providers considered to be critical (“CTPPs”). As Lead Overseers (“LO”), each of the three European Supervisory Authorities (“ESAs”) will have the power to monitor on a pan-European scale the activity of CTPPs in the context of their ICT services to the financial sector. DORA also allows LOs to charge fees to each designated CTPP to cover all the expenditure costs which they incur to conduct their oversight tasks. More specifically, the fees collected from CTPPs would need to cover the necessary expenditure in relation to the conduct of oversight tasks, including the costs which may be incurred because of the work carried out by the joint examination teams, and the cost of advice provided by independent experts in relation to matters falling under the remit of direct oversight activities.

Furthermore, Article 31(6) of DORA empowers the Commission to adopt a delegated act to further specify the criteria for the designation of ICT third-party service providers as critical. More specifically, the designation criteria must be further specified in relation to the following:

  • The systemic impact that a failure or operational outage of an ICT third-party service provider could have on the financial entities to which it provides ICT services;
  • The systemic character or importance by taking into account the number of global systemically important institutions (“G-SIIs”) or other systemically important institutions (“O-SIIs”) that rely on the ICT third-party service provider;
  • The criticality or importance of the functions supported by the ICT services provided by ICT third-party service provider; and
  • The degree of substitutability of the ICT third party provider by taking into account the number of ICT third-party service providers active on a given market, as well as the costs of migrating data and ICT workloads to other ICT third-party service providers.

The European Commission (“EC”) is proposing to adopt two delegated acts to supplement DORA. The delegated acts will supplement Chapter V, Section II, titled Oversight Framework of Critical ICT third-party Service Providers. The proposed acts are expected to fulfil their objective in the following ways:

  1. By specifying the criteria for the designation of ICT third-party service providers as critical for financial entities; and
  2. By determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid.

Following public consultation, the EC plans to adopt the delegated acts in the second quarter of 2024. As such, financial entities and other interest stakeholders are being invited to provide their feedback for both delegated acts. The deadline for the submission of comments is 14 December 2023.

The MFSA informs authorised persons that they may request further information by sending an email to the Supervisory ICT Risk and Cybersecurity function on [email protected].

Interested parties may submit their feedback here:

The full circular can be accessed here:

For more information on DORA, and its regulatory implications, feel free to contact us.