The European Banking Authority, together with the European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority, published a roadmap for designating critical ICT third-party service providers (CTPPs) under the Digital Operational Resilience Act (DORA), with the aim of designating CTPPs and beginning oversight engagement in 2025. The process starts with competent authorities submitting to the ESAs the Registers of Information on ICT third-party arrangements received from financial entities by 30 April 2025. The ESAs will then conduct DORA criticality assessments and notify ICT third-party service providers of a critical classification by July 2025, triggering a six-week period to object with a reasoned statement and supporting information. After this window, the ESAs will finalise designation and start oversight engagement; providers not designated as critical will be able to request voluntary designation once the CTPP list is published. To support implementation, the ESAs have established a joint DORA oversight function led by a joint Director since October 2024, intended to deliver an integrated day-to-day oversight approach across sectors. The ESAs also plan an online workshop with ICT third-party providers in the second quarter of 2025, with timing details to follow.
European Banking Authority 2025-02-18
European Banking Authority and other European Supervisory Authorities publish roadmap for 2025 designation of critical ICT third-party providers under DORA
The European Banking Authority, European Insurance and Occupational Pensions Authority, and European Securities and Markets Authority released a roadmap for designating critical ICT third-party service providers under the Digital Operational Resilience Act, aiming for oversight in 2025. Authorities will submit ICT arrangement registers by April 2025, followed by criticality assessments and notifications by July 2025. A joint DORA oversight function ensures integrated oversight across sectors.