EXPLANATORY MEMORANDUM
1.CONTEXT OF THE DELEGATED ACT
Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (the Digital Operational Resilience Act ‘DORA’) was published on 27 December 2022 and entered into force on 17 January 2023. This Regulation provides a comprehensive legal framework addressing various, core components of the digital operational resilience of financial entities. DORA enhances the overall conduct of ICT risk management, establishes testing rules for ICT systems and increases financial supervisors’ awareness of cyber risks through an EU harmonised incident reporting scheme.
To address potential systemic and concentration risks posed by the financial sectors’ reliance on a small number of ICT third-party service providers, the Regulation introduces an EU oversight framework for ICT third-party service providers deemed critical (CTPPs). As Lead Overseers (LOs), each of the three European Supervisory Authorities (‘ESAs’) will have the power to monitor on pan-European scale the activity of CTPPs in the context of their ICT services to the financial sector. In particular, DORA entrusts the ESAs with exclusive competence to designate ICT third-party service providers as critical. The Regulation also give the LOs a set of tasks and power to oversee the activity of CTPPs.
To ensure that LOs have the necessary resources to effectively carry on the oversight tasks under DORA, Article 43 empowers them to charge fees to each designated CTPP to cover all the expenditure incurred by the LOs in relation to the conduct of oversight tasks. More specifically, the fees collected from CTPPs would need to cover the necessary expenditure in relation to the conduct of oversight tasks, including the costs which may be incurred because of the work carried out by the joint examination teams, and the cost of advice provided by independent experts in relation to matters falling under the remit of direct oversight activities. The fees charged to CTPPs shall be proportionate to the turnover of the critical ICT third-party service providers concerned.
Finally, Article 43(2) empowers the Commission to adopt a delegated act to determine the amount of the fees and the way in which they are to be paid.
2.CONSULTATIONS PRIOR TO THE ADOPTION OF THE ACT
Procedural aspects
On 21 December 2022, the Commission asked the ESAs for ‘technical advice’ on a Commission delegated act to further specify the criteria to be considered by the ESAs when assessing the critical nature of ICT third-party service providers, as well as on determining the amount of the fees and the way in which they are to be paid by CTPPs.
The ESAs conducted a public consultation on their draft technical advice between 26 May and 23 June 2023. In total, the ESAs received 41 responses to the consultation paper. The ESAs sent their technical advice to the Commission on 29 September 2023.
On 29 September 2023, the Commission consulted the Expert Group on Banking, Payments and Insurance (EGBPI) on the content of this delegated act. The Expert Group supported the Commission’s approach regarding the delegated act on the amount of the fees and the way in which they are to be paid. Representatives in the Expert Group did not raise any particular point.
In line with the Commission’s Better Regulation guidelines, the delegated act was subject to a four-weeks feedback period on the ‘Have Your Say’ portal from [TBC] to [TBC]. […] contributions were received. [In general, respondents highlighted…]
The Commission has fully considered all feedback received, including the technical advice provided by the ESAs, the responses to ESAs’ public consultation, the EGBPI’s feedback, as well as other input provided to the Commission by stakeholders. On this basis, the Commission is proposing the adoption under Article 43(2) of DORA of this delegated act further specifying the amount of the fees and arrangements under which they are to be paid by CTPPs. The delegated act is in line with the technical advice received from the ESAs.
Stakeholder views
Throughout the abovementioned consultations, as well as ad hoc contributions, the Commission received a wide range of views on the content of the delegated act. Those views mainly expressed the need to define a narrower basis for the applicable turnover, the need for further clarity on the methods to calculate the fees, the payment of the fees and the opt-in application.
Applicable turnover
In their responses to the public consultation organised by the ESAs, several market participants made various suggestions to tailor the applicable turnover on a limited scope of revenues, such as from ICT services, from clients of the financial sectors, from critical ICT services etc, from revenues generated by the provision of services to European clients only, etc. In their feedback, stakeholders were also not able to confirm that independent auditors would be able to audit and certify such ad hoc applicable turnover / financial statements. A very limited number of respondents, suggested alternative approaches, such as a standard fee applying to all CTPPs equally, in addition to a flexible fee that will depend on the turnover of the relevant CTPPs individually, to take into account the size of the client base of the CTPPs in the determination of the applicable turnover, that the fees charged to the CTPPs should reflect the quality of the risk management governance of the CTPPs, etc.
Methods of calculation
Respondents to the public consultation organised by the ESAs suggested to define fees that reflect the actual cost of oversight, not on the basis of estimation or minimum fees. They also suggested some information on the total expenditure to be disclosed, as well as the methodology. Other respondents proposed surpluses to be reduced from the oversight fees paid during the subsequent year, despite the principle of universality. There were also stakeholders that disagreed with the fact that the minimum fees should be indexed on inflation and suggested that they rather be indexed on the annual evaluation of the aggregated applicable turnover of all CTPPs.
Payment of the fees and the opt-in application
Some market participants proposed to extend the payment term from 30 to 60 days, so as to be less intrusive and align it with established internal practices across CTPPs. Respondents also suggested that the ESAs should ensure the ICT providers are able to predict the amount of the oversight fees, so that they can take such fees into account when drawing up their budgets.
On the opt-in application fee, some stakeholders suggested a scaled fee instead of a fixed fee, while others found the proposal of the ESAs to be appropriate and justified.
3.LEGAL ELEMENTS OF THE DELEGATED ACT
Article 1 specifies the estimated expenditure for the fees.
Article 2 specifies the applicable turnover that is to be used to calculate the fees to be charged to the CTPPs.
Article 3 specifies the calculation method to be used by the ESAs for the calculation of the annual fees to be charged to CTPPs and establishes specific fees’ thresholds.
Article 4 specifies the oversight fees in relation to the first year of designation and the fee for the ‘opt-in’ requests.
Article 5 specifies the arrangements for paying the fees.
Article 5 provides the date of the entry into force of the act.
COMMISSION DELEGATED REGULATION (EU) …/...
of XXX
supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid
(Text with EEA relevance)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011, and in particular Article 43(2) thereof,
Whereas:
(1)An annual supervisory fee should be established to fully cover the costs to be incurred by the Lead Overseer and the other European Supervisory Authorities when performing supervisory tasks in the context of Regulation (EU) 2022/254. The annual supervisory fee should also cover the costs incurred by competent authorities to whom tasks are delegated by the European Supervisory Authorities.
(2)In line with the principle of annuality and the principle of full cost recovery, the annual supervisory fees should be calculated on the basis of the estimated direct and indirect costs to be incurred by the EBA to perform its supervisory tasks. The annual supervisory fees should be adjusted every year to match the estimated costs.
(3)To ensure the fair allocation of supervisory fees which, at the same time, reflects the actual administrative effort devoted to each supervised entity, the annual supervisory fee should be proportionate to the turnover generated by the ICT third-party service provider in the Union from the provision of the ICT services to financial services clients.
(4)To ensure the accuracy of the financial information needed to calculate the applicable turnover, all figures provided by the ICT services-provider should be audited ones. Considering that information on the applicable turnover is necessary for the Lead Overseer to establish the amount of the oversight fee charged to each critical ICT third-party service provider yearly to cover the costs of the oversight, the Lead Overseer should consider the worldwide revenues of ICT third-party service provider generated irrespective of the types of clients in the case where the critical ICT third-party service provider does not provide for tailored information on the revenues generated in the Union from the provision of the ICT services to financial institutions,
(5)A minimum annual oversight fee should be imposed on each critical ICT third-party service provider, given that certain fixed administrative costs apply for the supervision of all critical ICT third-party service providers, irrespective of the amount of turnover accrued.
(6)To cater for the specific costs incurred during the first year of designation and oversight of critical ICT third-party service-providers, related among others to the designation process and the appointment of the Lead Overseer, a fixed fee should be established. To reflect the costs incurred for the oversight following the designation of the critical ICT third-party service provider, this fee should be adjusted to the period of time in that first year during which the critical ICT third-party service provider has been designated. It should replace the annual oversight fee for that year.
(7)To cover the additional costs related to the designation of critical ICT third-party service providers that voluntary request to be designated as critical in accordance with Article 31(11) of Regulation (EU) 2022/2554, an additional fixed fee should be established. In order to discourage unfounded requests, such additional fixed fee should not be reimbursed if an ICT third-party service provider withdraws its request during the registration process, nor if the request is rejected.
(8)To ensure the timely payment of oversight fees, those fees should be paid within 30 days from the date of issuance of the Lead Overseer’s debit note. To simplify the fee payment flows, and to ensure ESAs have the necessary funds to carry out their planned supervisory activities, annual oversight fees should be paid in a single instalment during the first 3/4 months of the calendar year for which such fees are due by critical ICT third-party service providers subject to oversight activities on 1 January of that year or, in the case of critical ICT third-party service providers designated throughout that year, at the latest by the end of that year.
(9)All the fees charged should be set at a level such as to avoid a deficit or a significant accumulation of surplus. Where a significant positive or negative budget result becomes recurrent, the level of the fees should be revised,
HAS ADOPTED THIS REGULATION:
Article 1
Estimation of the expenditures of the Lead Overseers when performing their oversight duties
1.In each year, the Lead Overseer and the other European Supervisory Authorities shall estimate the overall annual costs that are expected to be incurred for the performance of their oversight duties. The amount of the overall annual costs estimated shall be the basis for determining the overall amount of oversight fees charged.
2.When estimating the annual overall costs, the Lead Overseer shall take into account the following direct and indirect costs:
(a)costs related to the designation of ICT third-party service providers as critical;
(b)costs related to the appointment of the Lead Overseer;
(c)costs related to the actual oversight of critical ICT third-party service providers, including the following:
(i)costs related to the participation of competent authorities in that oversight;
(ii)costs incurred as a result of work carried out by the joint examination team;
(iii)costs of advice provided by independent experts;
(d)costs related to the follow-up of the recommendations issued by the Lead Overseers in accordance with Article 35(1), point (d), of Regulation (EU) 2022/2554;
(e)costs related to the governance of the oversight framework.
Article 2
Applicable turnover of critical ICT third-party service-providers for the calculation of the oversight fees
1.For the purposes of Article 3, the turnover of a critical ICT third-party service provider shall be its revenues generated in the Union from the provision of the ICT services listed in the implementing technical standards adopted pursuant to Article 28(9) of Regulation (EU) 2022/2554and provided to the financial institutions listed in Article 2(1) of Regulation (EU) 2022/2554.
2.Critical ICT third-party service-providers shall provide the Lead Overseer, on an annual basis in year n-1 with audited figures specifying the turnover referred to in paragraph 1 for year n-2. Critical ICT third-party service providers shall provide those figures to the Lead Overseer by 31 December each year.
3.Where the critical ICT third-party service provider does not provide the Lead Overseer with audited figures by the date referred to in paragraph 2 that are limited to revenues generated from the provision of services to financial institutions listed in Article 2(1) of Regulation (EU) 2022/2554, the Lead Overseer shall consider the turnover generated in the Union from the provision of the ICT services listed in the implementing technical standards adopted pursuant to Article 28(9) of Regulation (EU) 2022/2554 irrespective of the type of clients of the critical ICT third-party service provider.
Where the critical ICT third-party service provider does not provide the Lead Overseer with audited figures by the date referred to in paragraph 2 that are limited to revenues generated in the Union from the provision of ICT services referred to in the implementing technical standards adopted pursuant to Article 28(9) of Regulation (EU) 2022/2554, the Lead Overseer shall consider the worldwide turnover generated from the provision of those ICT services.
4.Where critical ICT third-party service providers report the revenues in a currency other than the euro, the Lead Overseer shall convert those revenues into euro using the average euro foreign exchange rate applicable to the period during which the revenues were recorded, as published by the European Central Bank.
Article 3
Calculation of the oversight fees
1.For each critical ICT third-party service, the annual oversight fee for a given year (n) shall be the overall annual costs estimated referred to in Article 1 adjusted by the turnover coefficient referred to in paragraph 2 based on its applicable turnover for the year n-2.
2.For each critical ICT third-party service provider, the turnover coefficient shall be based on the applicable turnover referred to in Article 2 and shall be calculated as follows:
3.In no case shall the critical ICT third-party service provider pay an annual oversight fee that is less than EUR 50 000.
Article 4
Oversight fees in year of designation and ‘opt-in’ requests
1.By way of derogation from Article 3, for the first year in which a third-party service provider is designated as critical, a critical ICT third-party service provider shall pay an oversight fee of EUR 500 000. Where the period of the oversight of such critical ICT third-party service provider does not correspond to a full year, that oversight shall be equal to the EUR 500 000, multiplied by the number of calendar days from the designation of the ICT third-party service provider until the end of that year and divided by the total number of days in that year.
2.Where an ICT third-party service provider requests to be designated as critical in accordance with Article 31(11) of Regulation (EU) 2022/2554, it shall pay, in addition to the fee referred to in paragraph 1 of this Article, a fixed opt-in fee of EUR 50 000. The Lead Overseer shall not reimburse that fixed opt-in fee where the request to be designated as critical is rejected by the Joint Committee or withdrawn by the ICT third-party service provider.
Article 5
Payment of the oversight fees
1.Critical ICT third-party service providers shall pay the oversight fees referred to in Article 43 of Regulation (EU) 2022/2554 to the Lead Overseer on an annual basis.
2.All oversight fees shall be invoiced and paid in euro. Debit notes for oversight fees shall set payment terms of at least 30 days.
3.All oversight fees shall be paid based on a single instalment basis. Critical ICT third-party service-providers which will be subject to oversight activities on 1 January of a given year shall pay the debit note by 30 April of that year. Critical ICT third-party service-providers designated throughout the year shall pay the fees referred to in Article 4 in a single instalment by 31 December of that year.
4.Any late payment shall incur the default interest laid down in Article 99 of Regulation (EU, Euratom) 2018/1046.
Article 6
Communication between the Lead Overseer and critical ICT third-party service providers
For the purposes of this Regulation, all communication between the European Supervisory Authorities and critical ICT third-party service providers shall take place by electronic means.
Article 7
Entry into force and date of application
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels,
For the Commission
The President
Ursula von der Leyen