Critical ICT Third-Party Providers (CTPP)
A short read on how the European Supervisory Authorities identify critical ICT third-party providers (CTPP).
When it comes to the EU DORA regulation, we’re a big fan. It set the bar for digital operational resilience and governance quiet high. You’d expect the big banks (Globally systemic) to be doing a lot in these areas but the challenge for them is their size and complexity of operations. Lesser significant banks on the other hand may struggle with size in a different way by simply not have the people or the skills to undertake what’s required. But what about ICT third-party providers that have never been regulated?
Critical third-party providers
One area of confusion that keeps coming up not just with financial entities but with third parties is the concept of a critical third-party provider. The confusion stems from ‘the readers perspective’. Some ICT Third-parties consider themselves critical if they are considered to be critical by one financial entity. While that is important it does not necessarily translate to the ICT Third-party provider being designated a CTPP under the act.
Article 31 of DORA sets out how an ICT Third-party service provider should be assessed to determine if it is a CTPP. “Definition 23 – ‘critical ICT third-party service provider’ means an ICT third-party service provider designated as critical in accordance with Article 31”.
To help understand this area better a consultation paper has been issued to clarify the criteria for Critical Third-party service providers and oversight fees. Joint European Supervisory Authorities Technical Advice.
Criteria for CTPP designation
The ESAs' assessment criteria covers:
- Level of systemic impact on the EU financial system
- The number of systemically important institutions supported – taking into account the interdependence between systemically important functions
- The reliance on services provided whether direct or indirect
- The degree of substitutability
Supporting indicators
To support the assessment criteria the European Supervisory Authorities (ESAs) have specified a set of six indicators both qualitative and quantitative with minimum thresholds to trigger such indicators to guide the assessment.
Information sources
In order to carry out their assessment the ESAs will use the “registers of information” provided by those entities in scope for DORA. The ESAs are also looking to supplement their information with external data sources to help with the criticality assessment.
CTPP Designation
Once the assessment has been completed by the Lead Overseer they will notify the ICT Third-party provider of their CTPP designation. The ICT Third-party provider then has six weeks to challenge the decision and provide any relevant information to assist the assessment. Once designated a CTPP the third-party must notify all financial entities to which they provide services.
Under DORA, to permit financial entities to continue using ICT Third-party services the CTTP must set-up a subsidiary in the EU within 12 months of the CTPP designation - (Article 31.12).
Financial entities using a CTPP
It is worth noting here that given the level of due diligence required by EU DORA under Article 28 Key principles for a sound management of ICT third-party risk’ the European Supervisory Authorities expect such CTPPs to have the appropriate security and resilience controls in place. If they do not then the financial entities using them may find themselves having to answer some difficult questions around due diligence. Once financial entities are advised their third-party provider is a CTPP it may be time to revise their ICT Risk Register relating to regulatory compliance and dust down the due diligence assessment?
How IT Security Locksmith can help
If you need to undertake an EU Digital Operational Resilience Act GAP analysis please get in touch. We offer three levels:
- Board level - takes about three weeks to complete
- Management level - takes about six weeks to complete
- Full gap analysis - takes about three months to complete
Free expert opinion!
If you are concerned about the EU DORA or told that it's all under control please get in touch for a no obligation free consultation. We can help you understand the challenges, how to go about addressing them and provide you with options and prices for you to take away and consider.
If nothing else you get some expert opinion free of charge!
About IT Security Locksmith
IT Security Locksmith are a cybersecurity company that specialises in board level training and consultancy.
To find out more about our capabilities please click here.
Our services page showcases the types of services we offer.
Click here to contact us for a no obligation initial consultation.