DORA: EU supervisory authorities publish critical third party designation ‘roadmap’

The EU's Digital Operational Resilience Act (DORA) came into force on 17 January, along with the CTPP oversight framework. It defines requirements for incident management in the financial sector and introduces a harmonised reporting system for serious incidents and significant cyber threats.

All businesses covered by DORA must confirm that they can withstand and manage a wide range of ICT disruptions and cyber threats and comply with uniform requirements for the security of network and information systems.

Chapter V of DORA deals with critical third parties that provide information communication technology (ICT) services to the financial services industry, for example data analytics services or cloud platforms.

The three European regulatory authorities for the financial sector – the EBA, EIOPA and ESMA, together ESAs – announced last week that they will designate the CTPPs and start the oversight engagement this year.

To designate the CTPPs, the ESAs will collect the registers of information on ICT third-party arrangements, which the competent national authorities will have to submit to the ESAs by the end of April.

The ESAs also said they will perform the criticality assessments mandated by DORA and notify ICT third-party service providers of their classification as critical by July 2025.

“DORA gives us criteria that the ESAs are to base their assessments on,” said Andreas Carney, an outsourcing and technology expert at Pinsent Masons. “More detail as to how those criteria are to be applied by the ESAs is set out in a Commission Delegated Regulation published last year. Broadly speaking, the focus is on the extent to which the EU financial services ecosystem is reliant on particular ICT third-party service providers, the type of functions their services support and the systemic impact if something goes wrong. The assessments will involve quantitative and qualitative tests laid down in the Delegated Regulation.”   

Yvonne Dunn of Pinsent Masons, who specialises in the interaction between technology, law and regulation, said: "It will be interesting to see the output of the criticality assessments based on the criteria the ESAs have published for supplier designation as a CTPP. Notification of CTTP classification in July will start the clock for many suppliers on the compliance work they will need to carry out as CTTPs, if this has not already begun."

The notification will start a six-week period during which ICT third-party service providers may object to the assessment with a reasoned statement and relevant supporting information. ICT third-party service providers not designated as critical may voluntarily request to be designated as critical once the list of CTPPs is published. After the six-week period, the ESAs will designate CTPPs and start oversight engagement with them.

The ESAs said they have been preparing the governance, procedures and methodologies necessary to conduct oversight activities. Most importantly, they have set up a joint DORA oversight function to allow the ESAs to "perform their day-to-day oversight duties with an integrated approach across their sectors".

An online workshop with ICT third-party providers hosted by the ESAs in the second quarter of 2025 will provide more clarity to the market on preparatory activities, the designation process and on the ESAs’ oversight approach. A date for the workshop has not yet been set.