Proposals for direct oversight of critical ICT service providers

New proposals from the European Commission would make third-party ICT service providers deemed "critical" to the EU financial system subject to direct regulatory oversight for the first time, with significant fines for non-compliance.

This briefing explores the Proposal for a Regulation on Digital Operational Resilience and the potential impact on service providers that might be designated under the regime.

For information on how the Proposal would impact financial services firms, please see our separate briefing here.

The status quo: Regulatory powers relating to service providers

At present, EU financial services regulators do not tend to have direct oversight powers in relation to unregulated ICT service providers. Instead, any regulatory intervention needs to take place indirectly through the regulated firm using their services. There are some exceptions to this, such as the PRA's direct information-gathering powers for information relevant to the stability of the UK financial system, and certain firms are required to obtain contractual audit rights for their regulators. However, in general, ICT service providers are currently subject to indirect regulatory oversight only.

This looks set to change under the proposals. Instead, providers designated as "critical ICT third-party service providers" ("CITPSPs") would be subject to direct oversight at the EU level for the first time.

Why has this been proposed?

Financial services firms increasingly rely on advanced ICT services provided by specialist providers. The Commission has raised concerns over the lack of an oversight mechanism to monitor potential risks stemming from these providers, including potential concentration risks and contagion risks that could impact the wider financial services sector.

Which service providers would be designated and how would they be selected?

Only service providers designated as "critical" by the European Supervisory Authorities ("ESAs") would be subject to the oversight regime. The ESAs would make this designation based on a set of qualitative and quantitative criteria, including:

• the systemic impact on the stability, continuity or quality of financial services in the event that the provider faced a large scale operational failure
• the systemic character or importance of firms that rely on the provider
• the degree of reliance of those firms on the provider for critical or important functions
• the degree of substitutability of the provider
• the number of Member States in which services are provided and used by firms.

Service providers not designated as CITPSPs would have the option to voluntarily "opt in" (although how many will choose to do so is unclear). One potential benefit might be the centralization of oversight at the EU level rather than across multiple EU Member States; for CITPSPs, national regulators would be discouraged from taking measures outside of those at the EU level and would need to coordinate accordingly. This is intended to avoid duplications and overlaps.

Who would oversee the critical ICT service providers?

One of either the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), or European Securities and Markets Association (ESMA) would be designated as the "Lead Overseer" for each CITPSP, depending on the relative use of the CITPSP across the market.

A central 'Oversight Forum' (a sub-committee of the ESAs) would support the oversight work, including promoting consistent monitoring of ICT risks at Union level.

What would direct oversight involve?

It is difficult to tell how involved oversight might be at this stage. The main elements and powers put forward under the proposal would involve:

• Assessment by the Lead Overseer - The Lead Overseer would assess the CITPSP's procedures and arrangements relating to ICT risk, including security, continuity and quality of services, physical security arrangements, risk management processes, governance, identification and reporting of ICT-related incidents, and testing of ICT systems.
• Annual oversight plans - A "clear, detailed and reasoned" individual oversight plan would be communicated to each CITPSP each year, based on the above-mentioned assessment.
• Extensive information gathering and audit powers - The Lead Overseer would have extensive powers to request information and reports from the CITPSP and to conduct investigations and on-site inspections. The Commission refers to these powers as enabling the Lead Overseer to "acquire real insight into the type, dimension and impact" of ICT risks posed to firms by that CITPSP, suggesting the scope could be both broad and deep. This would be a wider and more direct regulator audit right than the indirect audit rights under the EBA Outsourcing Guidelines.
• Direct recommendations - The Lead Overseer would have the power to submit recommendations on a broad range of ICT risk matters, including ICT security and quality requirements (such as roll-out of patches, updates and encryption), the use of terms and conditions and subcontracting. CITPSPs would have 30 days to confirm if they intend to follow these recommendations or not.
• Oversight of subcontracting - The Lead Overseer's role extends to oversight of the CITPSP's subcontracting arrangements, including powers to recommend that the CITPSP refrains from subcontracting in certain circumstances.
• Benchmarking - Oversight programs would be benchmarked against those for other CITPSPs.
• Oversight fees - CITPSPs would be charged fees to "fully cover" the ESAs expenditure on oversight tasks.

Much of the detail of how this will operate will be set out in delegated acts and regulatory technical standards, yet to be published.

How would direct oversight be enforced?

Two primary enforcement mechanisms have been proposed at this stage:

• Periodic penalty payments - To compel CITPSPs to comply with the information gathering and investigative powers, the Lead Overseer would have the ability to impose significant periodic penalty payments of 1% of average daily worldwide turnover of the CITPSP in the preceding business year.
• Potential suspension or termination by customers - For recommendations of the Lead Overseer, enforcement would take place indirectly. If national regulators consider that the CITPSP has not addressed the risk identified in the recommendations, they could require regulated firms to temporarily suspend (or where necessary, terminate) arrangements with the CITPSP until the risk has been addressed.

If these enforcement measures are retained in the final text, in practice, it could be difficult for CITPSPs to object to providing the requested information / on-site access or to implementing the Lead Overseer's recommendations.

What can service providers do now?

At this stage, this is a draft proposal and is likely to change as it goes through the EU's legislative process. Several areas are also due to be set out in further delegated legislation, yet to be published.

In the meantime, service providers might want to consider the designation criteria under Article 28 of the Proposal and how they apply to their business.

We will be monitoring developments in this area in order to support service providers that are concerned they might be designated under the regime.