European Insurance and Occupational Pensions Authority with EBA and ESMA publishes list of designated critical ICT third-party providers under the Digital Operational Resilience Act

The European Supervisory Authorities, including the European Insurance and Occupational Pensions Authority (EIOPA), published the list of ICT third-party providers designated as critical (CTPPs) under the Digital Operational Resilience Act (DORA), advancing the implementation of DORA’s oversight framework. Designation followed DORA’s mandated methodology, drawing on financial entities’ Registers of Information on ICT outsourcing arrangements and a criticality assessment conducted with EU competent authorities across banking, insurance and pensions, and securities and markets. The assessment applied DORA criteria covering providers’ systemic importance, their role in supporting critical or important functions at financial entities, and the substitutability of their services; providers assessed as critical were notified and could submit reasoned statements under the right to be heard before final decisions were adopted. Under the DORA Oversight Framework, the ESAs will use direct oversight engagement and examination activities to assess whether designated CTPPs have appropriate risk management and governance frameworks to support the resilience of the ICT services they deliver to EU financial entities.