/>iThe European Supervisory Authorities (ESAs) recently published a comprehensive guide (Guide) on the oversight of critical information and communications technology (ICT) third-party service providers (CTPPs) under the EU Digital Operational Resilience Act (DORA). This Guide marks another step in the implementation of DORA, which aims to strengthen the digital operational resilience of the EU financial sector.
Background
DORA establishes a harmonised framework for managing ICT risks across the EU financial sector. One key aspect of the framework is the introduction of an oversight regime for CTPPs. Essentially, ICT third-party service providers (TPPs) whose ICT services are deemed critical to the stability and security of the EU financial sector are designated by the ESAs as CTPPs. Designated CTPPs become subject to direct oversight by one of the ESAs (the European Banking Authority, the European Securities and Markets Authority, or the European Insurance and Occupational Pensions Authority) as “lead overseer”.
The Guide follows the ESAs’ February 2025 roadmap (Roadmap), which set out in more detail the process for designating CTPPs. According to the Roadmap, the ESAs were meant to have completed criticality assessments and notified relevant providers of their status by the end of July 2025.
Scope of the Guide
The Guide is intended for a broad audience, including CTPPs, financial entities (FEs), national competent authorities and other stakeholders. Its primary purpose is to clarify the DORA oversight framework, explain its practical application and foster a common understanding among all parties involved. The ESAs explain that the Guide may be revised and reissued over time as oversight experience continues to develop.
Key Elements of the Oversight Framework
The Guide sets out several core components of the DORA oversight regime such as:
- governance structure and organisation of the oversight framework for CTPPs, including the various oversight bodies and their functions;
- the range of oversight activities that lead overseers will undertake, including:
- designation of CTPPs – the process for identifying and designating CTPPs based on an annual assessment of systemic impact, interconnectedness, critical nature of services, limited substitutability, and the number and type of FEs served;
- risk assessment and oversight planning – ongoing assessment of risks posed by CTPPs and the development of oversight plans;
- examinations and investigations – the conduct of both routine and ad hoc examinations, including on-site inspections and requests for information; and
- recommendations and follow-up – issuing recommendations to CTPPs and monitoring their implementation to ensure compliance and risk mitigation; and
- practical details on how oversight activities will be carried out, including the processes for information requests, general investigations and formal inspections.
Concluding Remarks
The publication of the Guide is a milestone in the operationalisation of DORA’s oversight regime. Further updates to the Guide are anticipated as the ESAs continue to refine their approach to the oversight regime and as the first round of CTPP designations is completed. Stakeholders should monitor developments closely and ensure they remain aligned with evolving regulatory expectations.
The Guide is available here.
