European Banking Authority and other European Supervisory Authorities designate critical ICT third-party providers for DORA oversight

The European Banking Authority, together with the European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority, published the list of ICT third-party providers designated as critical under the Digital Operational Resilience Act (DORA), bringing those providers into the DORA oversight framework. The designations followed DORA’s methodology, starting with data collected from financial entities’ Registers of Information on ICT service contracts, followed by a criticality assessment conducted with competent authorities across banking, insurance and pensions, and securities and markets. Providers were assessed against DORA’s criteria, including systemic importance, support for financial entities’ critical or important functions, and the substitutability of services. Providers assessed as critical were notified and could submit a reasoned statement under the right to be heard before final designation decisions were adopted. Under the DORA Oversight Framework, the European Supervisory Authorities will engage directly with designated critical ICT third-party providers to assess whether they have appropriate ICT risk management and governance frameworks to ensure the resilience of services delivered to EU financial entities, with further engagement planned through upcoming examination activities.