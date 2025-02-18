The European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) are advancing in the implementation of the pan-European oversight framework of critical ICT third-party service providers (CTPPs) with the objective to designate the CTPPs and to start the oversight engagement this year.

CTPP designation and engagement

To designate the CTPPs in 2025, the ESAs will perform the following steps:

Collection of the Registers of Information: Competent Authorities are required to submit to the ESAs, by 30 April 2025, the Registers of Information on ICT third-party arrangements they received from financial entities.

Competent Authorities are required to submit to the ESAs, by 30 April 2025, the Registers of Information on ICT third-party arrangements they received from financial entities. Criticality assessments : The ESAs will perform the criticality assessments mandated by DORA and notify ICT third-party service providers of their classification as critical by July 2025. This notification will start a six-week period during which ICT third-party service providers may object to the assessment with a reasoned statement and relevant supporting information.

: The ESAs will perform the criticality assessments mandated by DORA and notify ICT third-party service providers of their classification as critical by July 2025. This notification will start a six-week period during which ICT third-party service providers may object to the assessment with a reasoned statement and relevant supporting information. Final Designation : After the six-week period, the ESAs will designate CTPPs and start oversight engagement with them.

ICT third-party service providers not designated as critical may voluntarily request to be designated as critical once the list of CTPPs is published. Details on how to request this will be provided soon.

Implementation of the oversight framework and setup of the joint ESAs oversight function

The ESAs have been preparing the governance, procedures and methodologies necessary to conduct oversight activities.

To maximise synergies, ensure consistency in the oversight tasks and use resources efficiently, the ESAs have set up a joint DORA oversight function, led since October 2024 by a joint Director. The establishment of this function will allow the ESAs to perform their day-to-day oversight duties with an integrated approach across their sectors.

Next steps

To provide clarity to the market on preparatory activities, the designation process and on the ESAs’ oversight approach, the ESAs plan to organise an online workshop with ICT third-party providers in the second quarter of 2025. Further details on the exact date will be published in due course.

Background

The EU’s Digital Operational Resilience Act (DORA), along with the oversight framework of CTPPs, entered into application on 17 January 2025, marking a significant milestone for enhancing the digital operational resilience of the financial sector in the EU.