Oversight fees

Article 43 addresses the fundamental question of who pays for the oversight of critical ICT third-party service providers. The answer is unambiguous: the providers themselves. This user-pays model ensures that oversight is adequately resourced to conduct the demanding work of supervising large, complex technology companies, without creating a burden on public budgets or cross-subsidization by financial entities.

Fees are calculated based on the critical provider's turnover from ICT services provided to EU financial entities. This basis links the fee to the scale of the provider's financial sector activities, which is a proxy for both the systemic risk it creates and its capacity to bear oversight costs. The ESAs develop the detailed fee methodology through delegated acts, specifying the calculation formula, collection procedures, and any adjustments for provider size or complexity.

The fee must be proportionate and non-discriminatory. This means the fee methodology cannot unfairly burden smaller critical providers relative to larger ones, or treat providers from certain jurisdictions differently than others. The proportionality requirement ensures that oversight fees do not themselves become a barrier to serving the EU financial sector, which would reduce competition and potentially increase concentration risk.

For financial entities, oversight fees paid by their critical providers are likely to be passed through in some form — either as explicit charges or embedded in service pricing. However, the assurance value of regulatory oversight should outweigh these costs, as it reduces the need for duplicative due diligence and provides independent validation of the provider's risk management capabilities. Entities should factor potential fee pass-through into their total cost of outsourcing analysis.