0003979
Commission Delegated Regulation (EU) 2024/1505 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid
European Union
Regulations
Free
Delegated regulation specifying fees for the critical ICT third-party service providers in the financial sector
Commission Delegated Regulation (EU) 2024/1505 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid
2024-02-22
The document as a whole was last reviewed and released on 2024-08-29T00:00:00-0700.
0003979
Free
European Union
Regulations
Delegated regulation specifying fees for the critical ICT third-party service providers in the financial sector
Commission Delegated Regulation (EU) 2024/1505 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid
2024-02-22
The document as a whole was last reviewed and released on 2024-08-29T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Commission Delegated Regulation (EU) 2024/1505 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for Commission Delegated Regulation (EU) 2024/1505 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain communication protocols. CC ID 12245 [For the purposes of this Regulation, all communication between the European Supervisory Authorities and critical ICT third-party service providers shall take place by electronic means. Article 6 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an alternative communication protocol. CC ID 17097 | Communicate | Preventive | |
Use secure communication protocols for telecommunications. CC ID 16458 | Business Processes | Preventive | |
Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Process or Activity | Preventive | |
Identify barriers to stakeholder engagement. CC ID 15676 | Process or Activity | Preventive | |
Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Communicate | Preventive | |
Document the findings from surveys. CC ID 16309 | Establish/Maintain Documentation | Preventive | |
Include the criteria for notifications in the notification system. CC ID 17139 | Establish/Maintain Documentation | Preventive | |
Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain a financial management program. CC ID 13228 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain financial reports. CC ID 14770 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 [Critical ICT third-party service providers shall provide the Lead Overseer on an annual basis in year n-1 with audited figures specifying the turnover referred to in paragraph 1 for year n-2. Critical ICT third-party service providers shall provide those figures to the Lead Overseer by 31 December each year. Article 2 2.] | Communicate | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a cost management program. CC ID 13638 | Establish/Maintain Documentation | Preventive | |
Pay fees in accordance with applicable requirements. CC ID 17178 [By way of derogation from Article 3 and paragraph 1 above, for the first year in which an ICT third-party service provider is designated as critical, it shall pay a fixed oversight fee which is equal to the amount paid by each ICT third party service provider under paragraph 1. Where the period of the oversight activities of such critical ICT third-party service provider does not correspond to a full year, that oversight fee shall be equal to the amount paid by each ICT third-party service provider under paragraph 1, multiplied by the number of calendar days from the designation of the ICT third-party service provider as critical until the end of that year and divided by the total number of days in that year. Article 4 2. Where an ICT third-party service provider requests to be designated as critical in accordance with Article 31(11) of Regulation (EU) 2022/2554, it shall pay a fixed opt-in fee of EUR 50 000. The recipient ESA shall not reimburse that fixed opt-in fee where the request to be designated as critical is rejected or withdrawn by the ICT third-party service provider. Article 4 3. Critical ICT third-party service providers shall pay the oversight fees referred to in Article 43 of Regulation (EU) 2022/2554 to the Lead Overseer on an annual basis. Article 5 1. All oversight fees shall be paid based on a single instalment basis. Critical ICT third-party service providers which will be subject to oversight activities on 1 January of a given year shall pay the debit note by 30 April of that year. Critical ICT third-party service providers designated throughout the year shall pay the fees referred to in Article 4 in a single instalment by 31 December of that year. Article 5 3.] | Acquisition/Sale of Assets or Services | Preventive | |
Define fee structures in the cost management program. CC ID 17177 [For each critical ICT third-party service, the annual oversight fee for a given year (n) shall be the overall annual costs estimated referred to in Article 1 adjusted by the turnover coefficient referred to in paragraph 2 based on its applicable turnover for the year n-2. Article 3 1. For each critical ICT third-party service provider, the turnover coefficient shall be based on the applicable turnover referred to in Article 2 and shall be calculated as follows: Article 3 2.] | Acquisition/Sale of Assets or Services | Preventive |
Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Pay fees in accordance with applicable requirements. CC ID 17178 [By way of derogation from Article 3 and paragraph 1 above, for the first year in which an ICT third-party service provider is designated as critical, it shall pay a fixed oversight fee which is equal to the amount paid by each ICT third party service provider under paragraph 1. Where the period of the oversight activities of such critical ICT third-party service provider does not correspond to a full year, that oversight fee shall be equal to the amount paid by each ICT third-party service provider under paragraph 1, multiplied by the number of calendar days from the designation of the ICT third-party service provider as critical until the end of that year and divided by the total number of days in that year. Article 4 2. Where an ICT third-party service provider requests to be designated as critical in accordance with Article 31(11) of Regulation (EU) 2022/2554, it shall pay a fixed opt-in fee of EUR 50 000. The recipient ESA shall not reimburse that fixed opt-in fee where the request to be designated as critical is rejected or withdrawn by the ICT third-party service provider. Article 4 3. Critical ICT third-party service providers shall pay the oversight fees referred to in Article 43 of Regulation (EU) 2022/2554 to the Lead Overseer on an annual basis. Article 5 1. All oversight fees shall be paid based on a single instalment basis. Critical ICT third-party service providers which will be subject to oversight activities on 1 January of a given year shall pay the debit note by 30 April of that year. Critical ICT third-party service providers designated throughout the year shall pay the fees referred to in Article 4 in a single instalment by 31 December of that year. Article 5 3.] | Operational management | Preventive | |
Define fee structures in the cost management program. CC ID 17177 [For each critical ICT third-party service, the annual oversight fee for a given year (n) shall be the overall annual costs estimated referred to in Article 1 adjusted by the turnover coefficient referred to in paragraph 2 based on its applicable turnover for the year n-2. Article 3 1. For each critical ICT third-party service provider, the turnover coefficient shall be based on the applicable turnover referred to in Article 2 and shall be calculated as follows: Article 3 2.] | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Use secure communication protocols for telecommunications. CC ID 16458 | Leadership and high level objectives | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain an alternative communication protocol. CC ID 17097 | Leadership and high level objectives | Preventive | |
Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 [Critical ICT third-party service providers shall provide the Lead Overseer on an annual basis in year n-1 with audited figures specifying the turnover referred to in paragraph 1 for year n-2. Critical ICT third-party service providers shall provide those figures to the Lead Overseer by 31 December each year. Article 2 2.] | Leadership and high level objectives | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain communication protocols. CC ID 12245 [For the purposes of this Regulation, all communication between the European Supervisory Authorities and critical ICT third-party service providers shall take place by electronic means. Article 6 ¶ 1] | Leadership and high level objectives | Preventive | |
Document the findings from surveys. CC ID 16309 | Leadership and high level objectives | Preventive | |
Include the criteria for notifications in the notification system. CC ID 17139 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a financial management program. CC ID 13228 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain financial reports. CC ID 14770 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a cost management program. CC ID 13638 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Leadership and high level objectives | Preventive | |
Identify barriers to stakeholder engagement. CC ID 15676 | Leadership and high level objectives | Preventive |
There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Establish, implement, and maintain communication protocols. CC ID 12245 [For the purposes of this Regulation, all communication between the European Supervisory Authorities and critical ICT third-party service providers shall take place by electronic means. Article 6 ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain an alternative communication protocol. CC ID 17097 | Leadership and high level objectives | Communicate | |
Use secure communication protocols for telecommunications. CC ID 16458 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Leadership and high level objectives | Process or Activity | |
Identify barriers to stakeholder engagement. CC ID 15676 | Leadership and high level objectives | Process or Activity | |
Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Leadership and high level objectives | Communicate | |
Document the findings from surveys. CC ID 16309 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the criteria for notifications in the notification system. CC ID 17139 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain a financial management program. CC ID 13228 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain financial reports. CC ID 14770 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 [Critical ICT third-party service providers shall provide the Lead Overseer on an annual basis in year n-1 with audited figures specifying the turnover referred to in paragraph 1 for year n-2. Critical ICT third-party service providers shall provide those figures to the Lead Overseer by 31 December each year. Article 2 2.] | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain a cost management program. CC ID 13638 | Operational management | Establish/Maintain Documentation | |
Pay fees in accordance with applicable requirements. CC ID 17178 [By way of derogation from Article 3 and paragraph 1 above, for the first year in which an ICT third-party service provider is designated as critical, it shall pay a fixed oversight fee which is equal to the amount paid by each ICT third party service provider under paragraph 1. Where the period of the oversight activities of such critical ICT third-party service provider does not correspond to a full year, that oversight fee shall be equal to the amount paid by each ICT third-party service provider under paragraph 1, multiplied by the number of calendar days from the designation of the ICT third-party service provider as critical until the end of that year and divided by the total number of days in that year. Article 4 2. Where an ICT third-party service provider requests to be designated as critical in accordance with Article 31(11) of Regulation (EU) 2022/2554, it shall pay a fixed opt-in fee of EUR 50 000. The recipient ESA shall not reimburse that fixed opt-in fee where the request to be designated as critical is rejected or withdrawn by the ICT third-party service provider. Article 4 3. Critical ICT third-party service providers shall pay the oversight fees referred to in Article 43 of Regulation (EU) 2022/2554 to the Lead Overseer on an annual basis. Article 5 1. All oversight fees shall be paid based on a single instalment basis. Critical ICT third-party service providers which will be subject to oversight activities on 1 January of a given year shall pay the debit note by 30 April of that year. Critical ICT third-party service providers designated throughout the year shall pay the fees referred to in Article 4 in a single instalment by 31 December of that year. Article 5 3.] | Operational management | Acquisition/Sale of Assets or Services | |
Define fee structures in the cost management program. CC ID 17177 [For each critical ICT third-party service, the annual oversight fee for a given year (n) shall be the overall annual costs estimated referred to in Article 1 adjusted by the turnover coefficient referred to in paragraph 2 based on its applicable turnover for the year n-2. Article 3 1. For each critical ICT third-party service provider, the turnover coefficient shall be based on the applicable turnover referred to in Article 2 and shall be calculated as follows: Article 3 2.] | Operational management | Acquisition/Sale of Assets or Services |