EU Regulators Publish 'Criticality' Criteria For DORA, MiCA Implementation

‍A group of EU regulators has published consultation responses on key definitions that will soon be added to major legislation concerning digital resilience and crypto-assets.

The Digital Operational Resilience Act (DORA), which will come into effect in 2025, must first incorporate a definition of “critical” providers of third-party ICT services to financial entities.

Similarly, the Markets in Crypto-Assets (MiCA) regulation, which is set to come into effect from 2024, must first define “significant” asset-referenced tokens (ARTs) and electronic money tokens (EMTs).

On DORA, the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) have published a consultation response that will guide the European Commission in developing delegated legislation.

Under DORA, third-party providers of “critical” ICT services to financial entities will be given a special designation, and these providers must pay oversight fees to supervisory authorities.

The consultation response, which was requested by the European Commission and published on Friday (September 29), offers further details on the regulators’ proposed criteria for the “critical” definition and fee structure.

Regulators propose steps to define ‘critical’ providers

In relation to the criticality criteria, the regulators propose 11 quantitative and qualitative indicators that will be applied to firms using a two-step approach.

Step 1 covers six quantitative criticality indicators — for example, regulators will look at whether a provider services 10 percent or more of financial entities in the EU, based on total number of entities and total assets.

Regulators will also look at whether a provider services at least one financial market infrastructure in a “critical and important” way, and whether a provider has a monopoly on the provision of any service to a large portion of financial entities.

Under the proposals, if a provider meets these criteria, it does not automatically result in a “critical” designation, but it results in a second phase of assessment.

Hence, the regulators refer to these criteria as “relevance triggers” rather than “criticality triggers”.

If a provider is advanced to further assessment, it then arrives at Step 2, which covers qualitative indicators.

During Step 2, regulators must gauge the potential impact on financial entities if a provider was to discontinue its services.

Other quantitative indicators include interdependence of globally systemically important institutions who use the same third-party ICT service, and the number of providers using the same sub-contractors to service financial entities.

If a provider is found to be indispensable using the qualitative criteria, it may be recommended as “critical” to the Oversight Forum, which may then provide a recommended designation to the European Supervisory Authorities (ESA) Joint Committee.

Oversight fee structure

If a provider is designated as “critical”, it will have to pay “oversight fees” to its Lead Overseer to cover the costs related to oversight tasks.

Under DORA, supervisory bodies such as the EBA, ESMA or EIOPA may act as the Lead Overseer of a firm, depending on the nature of its services.

In the proposals, the three agencies suggest that calculation of oversight fees should be proportionate to the turnover of providers and should be “adaptable” to an annual designation process.

The three regulators also propose that the fee structure should follow the principles of activity-based management and “full-cost recovery”.

In other words, the fee should cover the agencies’ direct and indirect expenditure on tasks performed to oversee the provider, including staff, infrastructure and operating expenditure.

Overall, based on current implementation timelines, each of the three agencies is estimated to incur at least €6.9m in 2025, €2.5m in 2026 and €2.6m in 2027 related to DORA oversight costs.

Following the submission of the proposals, the three agencies said they “remain at the disposal” of the European Commission and will continue to provide further information for the two delegated acts that will eventually be incorporated into DORA.

EBA proposes oversight fee formula for stablecoin, EMT issuers

Also on Friday (September 29), the EBA published its response to a European Commission consultation on stablecoins and EMTs under MiCA.

The proposals aim to set out a formula for determining the significance of stablecoins and EMTs, and to calculate the fees that significant stablecoin and EMT issuers should pay to regulators.

The EBA proposes a set of “core” and “ancillary” indicators across two significance criteria for both types of assets, namely financial sector interconnectedness and activities on an international scale.

To gauge financial sector interconnectedness, core indicators include an issuer’s share of non-deposit reserve assets that are classed as financial instruments issued by financial institutions.

If an issuer holds financial instruments as reserves, for example, the share of the issuer’s holdings relative to the total supply of those financial instruments will also be considered.

Ancillary indicators cover the ownership structure of stablecoin and EMT issuers, and issues such as custody risks and portfolio overlap between multiple issuers’ reserve assets.

To measure activities on an international scale, core factors include an issuer’s market share of cross-border transactions using its stablecoin or EMT in and out of the EU, and the ratio of cross-border transactions using all stablecoins or EMTs compared with other methods.

With regard to minimum thresholds for these indicators, the EBA said it will refrain from proposing a methodology at this stage, due to the limited amount of data available.

Instead, the EBA proposes to develop benchmarks for the indicators as and when data becomes available.

As with the DORA proposals outlined above, if a stablecoin or EMT issuer is designated as “significant”, the EBA proposes that its supervisory fees be calculated on an activity-based management model.

That means the fee should cover the EBA’s direct and indirect expenditure on tasks performed when supervising the issuers, covering staff, infrastructure and operating expenses.

The European Commission is required to adopt a delegated act on supervisory fees by the end of June 2024, and the EBA said it “stands ready” to support the commission with any further technical inputs as needed to facilitate its preparation.