Sign in Subscribe
Trusted Advisor

Critical ICT Third-Party Providers (CTPP)

A short read on how the European Supervisory Authorities identify critical ICT third-party providers (CTPP).

Jonathan Evans

3 min read
Flag of the EU with the words Digital Operational Resilience Act all in gold
EU DORA flag

When it comes to the EU DORA regulation, we’re a big fan. It set the bar for digital operational resilience and governance quiet high. You’d expect the big banks (Globally systemic) to be doing a lot in these areas but the challenge for them is their size and complexity of operations. Lesser significant banks on the other hand may struggle with size in a different way by simply not have the people or the skills to undertake what’s required. But what about ICT third-party providers that have never been regulated?

Critical third-party providers

One area of confusion that keeps coming up not just with financial entities but with third parties is the concept of a critical third-party provider. The confusion stems from ‘the readers perspective’. Some ICT Third-parties consider themselves critical if they are considered to be critical by one financial entity. While that is important it does not necessarily translate to the ICT Third-party provider being designated a CTPP under the act.

Article 31 of DORA sets out how an ICT Third-party service provider should be assessed to determine if it is a CTPP.  “Definition 23 – ‘critical ICT third-party service provider’ means an ICT third-party service provider designated as critical in accordance with Article 31”.

To help understand this area better a consultation paper has been issued to clarify the criteria for Critical Third-party service providers and oversight fees. Joint European Supervisory Authorities Technical Advice.

Criteria for CTPP designation

The ESAs' assessment criteria covers:

  • Level of systemic impact on the EU financial system
  • The number of systemically important institutions supported – taking into account the interdependence between systemically important functions
  • The reliance on services provided whether direct or indirect
  • The degree of substitutability

Supporting indicators

To support the assessment criteria the European Supervisory Authorities (ESAs) have specified a set of six indicators both qualitative and quantitative with minimum thresholds to trigger such indicators to guide the assessment.

Two tables listing six and five indicators respectively to help assess 'criticality'
Two step assessment indicators

Information sources

In order to carry out their assessment the ESAs will use the “registers of information” provided by those entities in scope for DORA. The ESAs are also looking to supplement their information with external data sources to help with the criticality assessment.

CTPP Designation

Once the assessment has been completed by the Lead Overseer they will notify the ICT Third-party provider of their CTPP designation. The ICT Third-party provider then has six weeks to challenge the decision and provide any relevant information to assist the assessment. Once designated a CTPP the third-party must notify all financial entities to which they provide services.

Financial entities using a CTPP

It is worth noting here that given the level of due diligence required by EU DORA under Article 28 Key principles for a sound management of ICT third-party risk’ the European Supervisory Authorities expect such CTPPs to have the appropriate security and resilience controls in place. If they do not then the financial entities using them may find themselves having to answer some difficult questions around due diligence. Once financial entities are advised their third-party provider is a CTPP it may be time to revise their ICT Risk Register relating to regulatory compliance and dust down the due diligence assessment?

How IT Security Locksmith can help

If you need to undertake an EU Digital Operational Resilience Act GAP analysis please get in touch. We offer three levels:

  • Board level - takes about three weeks to complete
  • Management level - takes about six weeks to complete
  • Full gap analysis - takes about three months to complete

Free expert opinion!

If you are concerned about the EU DORA or told that it's all under control please get in touch for a no obligation free consultation. We can help you understand the challenges, how to go about addressing them and provide you with options and prices for you to take away and consider.

The four service areas of: training, gap analysis, consultancy and general support.
DORA Supporting services from ITSL

If nothing else you get some expert opinion free of charge!

About IT Security Locksmith

IT Security Locksmith are a cybersecurity company that specialises in board level training and consultancy.

To find out more about our capabilities please click here.

Our services page showcases the types of services we offer.

Click here to contact us for a no obligation initial consultation.

Sign up for more like this.

Enter your email
Subscribe