Back

Europe > European Union

Commission Delegated Regulation (EU) 2024/1505 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid



AD ID

0003979

AD STATUS

Commission Delegated Regulation (EU) 2024/1505 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid

ORIGINATOR

European Union

TYPE

Regulations

AVAILABILITY

Free

SYNONYMS

Delegated regulation specifying fees for the critical ICT third-party service providers in the financial sector

Commission Delegated Regulation (EU) 2024/1505 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid

EFFECTIVE

2024-02-22

ADDED

The document as a whole was last reviewed and released on 2024-08-29T00:00:00-0700.

AD ID

0003979

AD STATUS

Free

ORIGINATOR

European Union

TYPE

Regulations

AVAILABILITY

SYNONYMS

Delegated regulation specifying fees for the critical ICT third-party service providers in the financial sector

Commission Delegated Regulation (EU) 2024/1505 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid

EFFECTIVE

2024-02-22

ADDED

The document as a whole was last reviewed and released on 2024-08-29T00:00:00-0700.


Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Commission Delegated Regulation (EU) 2024/1505 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for Commission Delegated Regulation (EU) 2024/1505 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.



Common Controls and
mandates by Impact Zone
4 Mandated Controls - bold    
5 Implied Controls - italic     8 Implementation

An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.


The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.

Number of Controls
17 Total
  • Leadership and high level objectives
    13
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Leadership and high level objectives CC ID 00597 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain communication protocols. CC ID 12245
    [For the purposes of this Regulation, all communication between the European Supervisory Authorities and critical ICT third-party service providers shall take place by electronic means. Article 6 ¶ 1]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an alternative communication protocol. CC ID 17097 Communicate Preventive
    Use secure communication protocols for telecommunications. CC ID 16458 Business Processes Preventive
    Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 Process or Activity Preventive
    Identify barriers to stakeholder engagement. CC ID 15676 Process or Activity Preventive
    Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 Communicate Preventive
    Document the findings from surveys. CC ID 16309 Establish/Maintain Documentation Preventive
    Include the criteria for notifications in the notification system. CC ID 17139 Establish/Maintain Documentation Preventive
    Include the capturing and alerting of account activity in the notification system. CC ID 15314 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain a financial management program. CC ID 13228 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain financial reports. CC ID 14770 Establish/Maintain Documentation Preventive
    Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342
    [Critical ICT third-party service providers shall provide the Lead Overseer on an annual basis in year n-1 with audited figures specifying the turnover referred to in paragraph 1 for year n-2. Critical ICT third-party service providers shall provide those figures to the Lead Overseer by 31 December each year. Article 2 2.]
    Communicate Preventive
  • Operational management
    4
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational management CC ID 00805 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a cost management program. CC ID 13638 Establish/Maintain Documentation Preventive
    Pay fees in accordance with applicable requirements. CC ID 17178
    [By way of derogation from Article 3 and paragraph 1 above, for the first year in which an ICT third-party service provider is designated as critical, it shall pay a fixed oversight fee which is equal to the amount paid by each ICT third party service provider under paragraph 1. Where the period of the oversight activities of such critical ICT third-party service provider does not correspond to a full year, that oversight fee shall be equal to the amount paid by each ICT third-party service provider under paragraph 1, multiplied by the number of calendar days from the designation of the ICT third-party service provider as critical until the end of that year and divided by the total number of days in that year. Article 4 2.
    Where an ICT third-party service provider requests to be designated as critical in accordance with Article 31(11) of Regulation (EU) 2022/2554, it shall pay a fixed opt-in fee of EUR 50 000. The recipient ESA shall not reimburse that fixed opt-in fee where the request to be designated as critical is rejected or withdrawn by the ICT third-party service provider. Article 4 3.
    Critical ICT third-party service providers shall pay the oversight fees referred to in Article 43 of Regulation (EU) 2022/2554 to the Lead Overseer on an annual basis. Article 5 1.
    All oversight fees shall be paid based on a single instalment basis. Critical ICT third-party service providers which will be subject to oversight activities on 1 January of a given year shall pay the debit note by 30 April of that year. Critical ICT third-party service providers designated throughout the year shall pay the fees referred to in Article 4 in a single instalment by 31 December of that year. Article 5 3.]
    Acquisition/Sale of Assets or Services Preventive
    Define fee structures in the cost management program. CC ID 17177
    [For each critical ICT third-party service, the annual oversight fee for a given year (n) shall be the overall annual costs estimated referred to in Article 1 adjusted by the turnover coefficient referred to in paragraph 2 based on its applicable turnover for the year n-2. Article 3 1.
    For each critical ICT third-party service provider, the turnover coefficient shall be based on the applicable turnover referred to in Article 2 and shall be calculated as follows: Article 3 2.]
    Acquisition/Sale of Assets or Services Preventive
Common Controls and
mandates by Type
4 Mandated Controls - bold    
5 Implied Controls - italic     8 Implementation

Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.

Number of Controls
17 Total
  • Acquisition/Sale of Assets or Services
    2
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Pay fees in accordance with applicable requirements. CC ID 17178
    [By way of derogation from Article 3 and paragraph 1 above, for the first year in which an ICT third-party service provider is designated as critical, it shall pay a fixed oversight fee which is equal to the amount paid by each ICT third party service provider under paragraph 1. Where the period of the oversight activities of such critical ICT third-party service provider does not correspond to a full year, that oversight fee shall be equal to the amount paid by each ICT third-party service provider under paragraph 1, multiplied by the number of calendar days from the designation of the ICT third-party service provider as critical until the end of that year and divided by the total number of days in that year. Article 4 2.
    Where an ICT third-party service provider requests to be designated as critical in accordance with Article 31(11) of Regulation (EU) 2022/2554, it shall pay a fixed opt-in fee of EUR 50 000. The recipient ESA shall not reimburse that fixed opt-in fee where the request to be designated as critical is rejected or withdrawn by the ICT third-party service provider. Article 4 3.
    Critical ICT third-party service providers shall pay the oversight fees referred to in Article 43 of Regulation (EU) 2022/2554 to the Lead Overseer on an annual basis. Article 5 1.
    All oversight fees shall be paid based on a single instalment basis. Critical ICT third-party service providers which will be subject to oversight activities on 1 January of a given year shall pay the debit note by 30 April of that year. Critical ICT third-party service providers designated throughout the year shall pay the fees referred to in Article 4 in a single instalment by 31 December of that year. Article 5 3.]
    Operational management Preventive
    Define fee structures in the cost management program. CC ID 17177
    [For each critical ICT third-party service, the annual oversight fee for a given year (n) shall be the overall annual costs estimated referred to in Article 1 adjusted by the turnover coefficient referred to in paragraph 2 based on its applicable turnover for the year n-2. Article 3 1.
    For each critical ICT third-party service provider, the turnover coefficient shall be based on the applicable turnover referred to in Article 2 and shall be calculated as follows: Article 3 2.]
    Operational management Preventive
  • Business Processes
    1
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Use secure communication protocols for telecommunications. CC ID 16458 Leadership and high level objectives Preventive
  • Communicate
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain an alternative communication protocol. CC ID 17097 Leadership and high level objectives Preventive
    Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 Leadership and high level objectives Preventive
    Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342
    [Critical ICT third-party service providers shall provide the Lead Overseer on an annual basis in year n-1 with audited figures specifying the turnover referred to in paragraph 1 for year n-2. Critical ICT third-party service providers shall provide those figures to the Lead Overseer by 31 December each year. Article 2 2.]
    Leadership and high level objectives Preventive
  • Establish/Maintain Documentation
    6
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain communication protocols. CC ID 12245
    [For the purposes of this Regulation, all communication between the European Supervisory Authorities and critical ICT third-party service providers shall take place by electronic means. Article 6 ¶ 1]
    Leadership and high level objectives Preventive
    Document the findings from surveys. CC ID 16309 Leadership and high level objectives Preventive
    Include the criteria for notifications in the notification system. CC ID 17139 Leadership and high level objectives Preventive
    Establish, implement, and maintain a financial management program. CC ID 13228 Leadership and high level objectives Preventive
    Establish, implement, and maintain financial reports. CC ID 14770 Leadership and high level objectives Preventive
    Establish, implement, and maintain a cost management program. CC ID 13638 Operational management Preventive
  • IT Impact Zone
    2
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Leadership and high level objectives CC ID 00597 Leadership and high level objectives IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
  • Monitor and Evaluate Occurrences
    1
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include the capturing and alerting of account activity in the notification system. CC ID 15314 Leadership and high level objectives Preventive
  • Process or Activity
    2
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 Leadership and high level objectives Preventive
    Identify barriers to stakeholder engagement. CC ID 15676 Leadership and high level objectives Preventive
Common Controls and
mandates by Classification
4 Mandated Controls - bold    
5 Implied Controls - italic     8 Implementation

There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.

Number of Controls
17 Total
  • IT Impact Zone
    2
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Leadership and high level objectives CC ID 00597 Leadership and high level objectives IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
  • Preventive
    15
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Establish, implement, and maintain communication protocols. CC ID 12245
    [For the purposes of this Regulation, all communication between the European Supervisory Authorities and critical ICT third-party service providers shall take place by electronic means. Article 6 ¶ 1]
    Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain an alternative communication protocol. CC ID 17097 Leadership and high level objectives Communicate
    Use secure communication protocols for telecommunications. CC ID 16458 Leadership and high level objectives Business Processes
    Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 Leadership and high level objectives Process or Activity
    Identify barriers to stakeholder engagement. CC ID 15676 Leadership and high level objectives Process or Activity
    Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 Leadership and high level objectives Communicate
    Document the findings from surveys. CC ID 16309 Leadership and high level objectives Establish/Maintain Documentation
    Include the criteria for notifications in the notification system. CC ID 17139 Leadership and high level objectives Establish/Maintain Documentation
    Include the capturing and alerting of account activity in the notification system. CC ID 15314 Leadership and high level objectives Monitor and Evaluate Occurrences
    Establish, implement, and maintain a financial management program. CC ID 13228 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain financial reports. CC ID 14770 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342
    [Critical ICT third-party service providers shall provide the Lead Overseer on an annual basis in year n-1 with audited figures specifying the turnover referred to in paragraph 1 for year n-2. Critical ICT third-party service providers shall provide those figures to the Lead Overseer by 31 December each year. Article 2 2.]
    Leadership and high level objectives Communicate
    Establish, implement, and maintain a cost management program. CC ID 13638 Operational management Establish/Maintain Documentation
    Pay fees in accordance with applicable requirements. CC ID 17178
    [By way of derogation from Article 3 and paragraph 1 above, for the first year in which an ICT third-party service provider is designated as critical, it shall pay a fixed oversight fee which is equal to the amount paid by each ICT third party service provider under paragraph 1. Where the period of the oversight activities of such critical ICT third-party service provider does not correspond to a full year, that oversight fee shall be equal to the amount paid by each ICT third-party service provider under paragraph 1, multiplied by the number of calendar days from the designation of the ICT third-party service provider as critical until the end of that year and divided by the total number of days in that year. Article 4 2.
    Where an ICT third-party service provider requests to be designated as critical in accordance with Article 31(11) of Regulation (EU) 2022/2554, it shall pay a fixed opt-in fee of EUR 50 000. The recipient ESA shall not reimburse that fixed opt-in fee where the request to be designated as critical is rejected or withdrawn by the ICT third-party service provider. Article 4 3.
    Critical ICT third-party service providers shall pay the oversight fees referred to in Article 43 of Regulation (EU) 2022/2554 to the Lead Overseer on an annual basis. Article 5 1.
    All oversight fees shall be paid based on a single instalment basis. Critical ICT third-party service providers which will be subject to oversight activities on 1 January of a given year shall pay the debit note by 30 April of that year. Critical ICT third-party service providers designated throughout the year shall pay the fees referred to in Article 4 in a single instalment by 31 December of that year. Article 5 3.]
    Operational management Acquisition/Sale of Assets or Services
    Define fee structures in the cost management program. CC ID 17177
    [For each critical ICT third-party service, the annual oversight fee for a given year (n) shall be the overall annual costs estimated referred to in Article 1 adjusted by the turnover coefficient referred to in paragraph 2 based on its applicable turnover for the year n-2. Article 3 1.
    For each critical ICT third-party service provider, the turnover coefficient shall be based on the applicable turnover referred to in Article 2 and shall be calculated as follows: Article 3 2.]
    Operational management Acquisition/Sale of Assets or Services