European Securities and Markets Authority, European Banking Authority and European Insurance and Occupational Pensions Authority publish list of DORA critical ICT third-party providers

The European Supervisory Authorities, comprising the European Banking Authority, the European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority, have published the list of information and communication technology (ICT) third-party providers designated as critical under the Digital Operational Resilience Act (DORA), activating the DORA oversight framework for these providers. The designation followed the DORA methodology: data were collected from financial entities’ Registers of Information on ICT outsourcing arrangements, then a criticality assessment was carried out with EU competent authorities across banking, insurance and pensions, and securities and markets. The assessment applied DORA’s criteria, including providers’ systemic importance, their role in supporting critical or important functions for financial entities, and the substitutability of their services. Providers assessed as critical were notified and could submit reasoned statements under a right-to-be-heard process before final designation decisions were adopted. Under the oversight framework, the ESAs will conduct direct oversight engagement and examination activities to assess whether designated providers have appropriate ICT risk management and governance arrangements to support the resilience of services delivered to EU financial entities.