CTPP Designation Criteria – RTS (EU) 2024/1502
Commission Delegated Regulation (EU) 2024/1502 of 22 February 2024 supplementing Regulation (EU) 2022/2554 by specifying the criteria for the designation of ICT third-party service providers as critical for financial entities
Abstract
Regulatory Technical Standards under DORA (Article 31(6)) establishing the criteria and a two-step assessment approach for designating ICT third-party service providers as critical for financial entities, covering systemic impact, systemic character and importance of ICT services, criticality of supported functions, and degree of substitutability, including consideration of provider groups and relevant subcontractors.
Key Takeaways
- Introduces a two-step approach (quantitative step 1 screening followed by qualitative step 2 analysis) to identify ICT third-party service providers that may be designated as critical under DORA Article 31.
- Defines quantitative thresholds for systemic impact, including shares of affected financial entities and shares of their total assets for at least one category of financial entities (10% threshold).
- Sets systemic-importance triggers based on usage by G-SIIs/O-SIIs and other ‘systemic’ financial entities, and requires assessment of interconnectedness/interdependence among reliant entities.
- Requires qualitative assessment of the impact intensity of service discontinuation and the provider’s reliance on common subcontractors supporting critical or important functions.
- Assesses degree of substitutability, including lack of viable alternative providers and difficulty of migration/reintegration, with defined quantitative thresholds and subsequent qualitative evaluation.
Keywords
Need DORA-Aligned AI Architecture?
We build AI systems that satisfy DORA requirements from day one. Audit trails, governance, exit readiness - built in, not bolted on.
Schedule Architecture Reviewviktor@intellectumlab.com | Response within 24 hours