European Commission adopts Delegated Regulations on oversight fees and critical ICT third-party service providers (DORA) and Delegated Regulations under MiCAR

1. DORA

DORA will apply as of 17 January 2025. In the meantime, a whole set of secondary legislation that will set out detailed, technical rules specifying some of the key provisions of DORA will have to be developed. This work is now well under way.

DORA will introduce an “oversight framework” which did not exist under pre-existing outsourcing regulations. ICT third-party service providers that are designated as “critical” will be subjected to additional regulatory scrutiny through this new concept of an oversight framework, overseen by the European Supervisory Authorities (the ESAs). The oversight framework allows the ESAs to request information from, investigate, inspect (for example, to assess a provider’s physical security, risk management processes and governance arrangements) and issue recommendations and penalties (up to 1% of annual worldwide turnover) to critical ICT third-party service providers (CTTPs). DORA provides the ESAs with exclusive competence to designate CTPPs. 

Last week, the Commission adopted two Delegated Regulations (i) specifying the criteria for the designation of ICT third-party service providers as critical for financial entities and (ii) determining the amount of the oversight fees to be charged by the ‘Lead Overseer’ to CTTPs.

• Delegated Regulation on further specifying the criticality criteria for CTTPs

  The Delegated Regulation supplements DORA by specifying the criteria for the designation of CTTPs. To assess whether an ICT third-party service provider is critical for financial entities, the ESAs should use sub-criteria in a two-step approach assessment. The Delegated Regulation notes that - considering the various important ICT services existing and the diversity and number of financial institutions using those services - such a two-step approach should be undertaken to filter the population of ICT third-party service providers and identify the most critical ICT third-party service providers. The quantitative sub-criteria that are to be considered as part of the first step of the assessment are necessary to carry out a first selection of the population of ICT third-party service providers for which it is relevant to carry out a further in-depth analysis in light of the qualitative sub-criteria that are to be considered as part of the second step of the assessment.

• Delegated regulation specifying fees for the critical ICT third-party service providers in the financial sector

  To ensure that the ESAs have the necessary resources to carry out their tasks, the ESAs can charge fees to each designated CTPP. 

  This Delegated Regulation supplements DORA by determining the amount of the oversight fees to be charged by the Lead Overseer to.

2. MiCAR

The package adopted on 22 February 2024 consists of Delegated Regulations further specifying (i) the criteria for an asset-referenced token (ART) and e-money token (EMT) to be classified as ‘significant’, (ii) supervisory measures on products intervention powers, (iii) procedural rules for the exercise of the power to impose fines or periodic penalty payments by the European Banking Authority (EBA), and (iv) fees charged by the EBA.

• MiCAR Delegated Regulation on criteria for significance

  Article 43(1) of MiCAR sets out the criteria for the classification of ARTs and EMTs as significant. This Delegated Regulation based on Article 43(11) of MiCAR and further specifies the criteria listed in Article 43(1) of MiCAR.

• MiCA Delegated Regulation on Product Intervention Powers

  Articles 103(2)(3), 104(2)(3) and 105(2) of MiCAR state the conditions under which the European Securities and Markets Authority (ESMA), the EBA and the competent authorities in the EU Member States may take certain product intervention measures. These conditions include a requirement that the proposed prohibition or restriction addresses either (i) a significant investor protection concern, or (ii) a threat to the orderly functioning and integrity of markets in crypto-assets or to the stability of the whole or part of the financial system of either the EU or at least one Member State. The Delegated Regulation further specifies this requirement.

• MiCA Delegated Regulation on Penalties

  Where an ART is classified as ‘significant’ under MiCAR, the issuer of the ART is to be supervised by the EBA. Where EMT issued by an electronic money institution are classified as ‘significant’ under MiCAR, the EBA is to supervise the issuer of the EMT. This Delegated Regulation further specifies the rules and procedures relating to the imposition of fines and periodic penalty payments.

• MiCA Delegated Regulation on EBA Supervisory Fees

  Pursuant to Article 137(1) of MiCAR, the EBA is to charge fees to issuers of significant ARTs and EMTs. This Delegated Regulation further specifies the types of fees, the matters for which fees are due, the amount of fees and the manner in which they are to be paid and the methodology to calculate the maximum amount per entity that the EBA can charge.

The European Parliament and the Council will now review the Delegated Regulations and may raise any objections they may have. The Delegated Regulations enter into force on the twentieth day following their publication in the EU Official Journal. 

Companies affected by DORA and MiCAR would do well to keep up with developments relating to this new wave of legislation to ensure that their businesses can timely implement the necessary changes. Stibbe’s financial regulation team can assist with navigating the implications of DORA, MiCAR and the specific requirements of the recently published Delegated Regulations.