European Supervisory Authorities set 2025 process to designate critical ICT third-party providers under DORA and begin oversight

The European Supervisory Authorities (the European Banking Authority, European Insurance and Occupational Pensions Authority and European Securities and Markets Authority) set out the 2025 steps for designating critical ICT third-party service providers under the EU Digital Operational Resilience Act (DORA) and starting oversight engagement with the designated providers. A joint DORA oversight function has been established to carry out day-to-day oversight with an integrated approach across sectors, led by a joint Director since October 2024. Competent Authorities must submit to the ESAs, by 30 April 2025, the Registers of Information on ICT third-party arrangements received from financial entities, which will form the basis for designation. The ESAs plan to complete DORA-mandated criticality assessments and notify ICT third-party service providers of a “critical” classification by July 2025, triggering a six-week period for reasoned objections supported by relevant information. After that objection window, the ESAs will finalise the list of critical ICT third-party service providers and begin oversight engagement; providers not designated as critical may request voluntary designation once the list is published. To explain preparatory work, the designation process and the oversight approach, the ESAs plan to hold an online workshop with ICT third-party providers in the second quarter of 2025, with timing details to follow.