European Securities and Markets Authority and other European Supervisory Authorities set 2025 process to designate critical ICT third-party providers under DORA

The European Securities and Markets Authority, together with the European Banking Authority and the European Insurance and Occupational Pensions Authority, has outlined how it will implement the Digital Operational Resilience Act (DORA) oversight framework for critical ICT third-party service providers, with the aim of designating critical providers and starting oversight engagement in 2025. The process begins with competent authorities submitting to the ESAs, by 30 April 2025, the registers of information on ICT third-party arrangements received from financial entities. The ESAs will then carry out DORA criticality assessments and notify ICT third-party service providers of a critical classification by July 2025, triggering a six-week window for providers to object with a reasoned statement and supporting information. Following this period, the ESAs will finalise designations and commence oversight engagement; providers not designated as critical will be able to request voluntary designation once the list of critical providers is published. Oversight governance and methodologies are being put in place through a joint DORA oversight function led by a joint Director since October 2024. To explain preparatory activities, the designation process and the oversight approach, the ESAs plan to hold an online workshop with ICT third-party providers in the second quarter of 2025, with the date to be confirmed.