Designation of critical ICT third-party service providers

Article 31 introduces the mechanism for designating ICT third-party service providers as "critical" at the EU level — a groundbreaking innovation that brings major technology companies under direct financial regulatory oversight for the first time. This designation creates the gateway to the oversight framework established in subsequent articles.

The designation criteria include the systemic importance of the financial entities relying on the provider, the degree to which the financial sector depends on the provider's services, the substitutability of the provider (considering available alternatives and the difficulty of migrating), and the number of member states in which the provider's services are used.

The designation process is conducted by the ESAs through a Joint Committee, with input from national competent authorities. The ESAs must publish a list of designated critical ICT third-party service providers and update it regularly. Providers have the right to be heard before designation and can request a review of the decision.

Once designated, a critical provider becomes subject to direct oversight by a Lead Overseer — one of the three ESAs (EBA, EIOPA, or ESMA) appointed based on which sector is most dependent on the provider's services. This oversight relationship is fundamentally different from the traditional supervisory approach where regulators oversee financial entities that in turn manage their vendors.