The European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) are advancing in the implementation of the pan-European oversight framework of critical ICT third-party service providers (CTPPs) with the objective to designate the CTPPs and to start the oversight engagement this year.
CTPP designation and engagement
To designate the CTPPs in 2025, the ESAs will perform the following steps:
- Collection of the Registers of Information: Competent Authorities are required to submit to the ESAs, by 30 April 2025, the Registers of Information on ICT third-party arrangements they received from financial entities.
- Criticality assessments: The ESAs will perform the criticality assessments mandated by DORA and notify ICT third-party service providers of their classification as critical by July 2025. This notification will start a six-week period during which ICT third-party service providers may object to the assessment with a reasoned statement and relevant supporting information.
- Final Designation: After the six-week period, the ESAs will designate CTPPs and start oversight engagement with them.
ICT third-party service providers not designated as critical may voluntarily request to be designated as critical once the list of CTPPs is published. Details on how to request this will be provided soon.
Implementation of the oversight framework and setup of the joint ESAs oversight function
The ESAs have been preparing the governance, procedures and methodologies necessary to conduct oversight activities.
To maximise synergies, ensure consistency in the oversight tasks and use resources efficiently, the ESAs have set up a joint DORA oversight function, led since October 2024 by a joint Director. The establishment of this function will allow the ESAs to perform their day-to-day oversight duties with an integrated approach across their sectors.
Next steps
To provide clarity to the market on preparatory activities, the designation process and on the ESAs’ oversight approach, the ESAs plan to organise an online workshop with ICT third-party providers in the second quarter of 2025. Further details on the exact date will be published in due course.
Background
The EU’s Digital Operational Resilience Act (DORA), along with the oversight framework of CTPPs, entered into application on 17 January 2025, marking a significant milestone for enhancing the digital operational resilience of the financial sector in the EU.
In addition to Section II of chapter V of DORA, the relevant regulatory references of the oversight framework are the following:
- two Delegated Regulations adopted by the European Commission in Q4 2024 on the basis of two draft Regulatory Technical Standards (RTS) developed by the ESAs covering the items set out in Article 41 of DORA (here and here)
- two Delegated Regulations published in the Official Journal covering the designation criteria to be applied by the ESAs while designating CTPPs (here) and the fees that CTPPs are going to pay according to Article 43 (here)
- Guidelines on cooperation between the ESAs and the relevant Competent Authorities (here)
Financial entities can access the reporting rules for the Registers of Information here. These registers will be used as a basis for the designation of CTPP.