The EU’s Digital Operational Resilience Act (“DORA”), which has become applicable in January this year, has elevated ICT regulation in the financial sector to a new level. A key feature is its elaborate ICT third-party risk framework which has not only refined ICT risk management obligations for banks and other financial entities. It has also introduced direct oversight for certain tech companies and ICT vendors whose services are designated as being critical to the financial sector by the European Supervisory Authorities (EBA, ESMA, and EIOPA; i.e., the “ESAs”). Oversight over such “Critical ICT Third-Party Service Providers” or “CTPPs” will be insistent and extensive with high scrutiny on systems, security, governance and resilience. The oversight will be in addition to the cyber security regime established under the updated Network and Information Security Directive (NIS2 Directive) where CTPPs may be in-scope, although the focus is on ICT risk exposure to financial entities and the authorities are required to consult and align to avoid regulatory duplication.
In light of the current first round of critical assessments (which were recently discussed in a webinar by the ESAs), this blogpost gives an update on the state of play of the designation process and an outlook on how the new oversight regime will complement and tie into financial entities’ ICT risk management.
What has been done so far
Financial entities have compiled detailed information registers of their ICT outsourcing arrangements, which the competent authorities collected and forwarded to the ESAs in April this year. The data contained in the registers will form the factual basis for the assessment and the ESAs have said they are engaging with competent authorities to ensure sufficient data quality.
DORA foresees yearly resubmissions of information registers and updates to the assessments. ICT service providers not designated in this year’s first evaluation of the data may potentially be caught in a future evaluation (if the data has then changed). Conversely, from next year, a situation may arise where CTPPs may no longer meet the criticality criteria, for example, due to changes in their customer base.
What is happening now
The ESAs have scheduled this year’s assessment for June 2025. The assessment is based on four main criteria:
- number and size of reliant financial entities: whether an operational failure at the provider could jeopardise financial stability considering the number of financial entities which rely on the provider and their total value of assets;
- systemic importance of reliant financial entities: the number of G-SIIs and O-SIIs which rely on the provider and their interdependence with other financial entities (including where they provide financial infrastructure services);
- critical or important functions supported: the extent to which financial entities rely on the services in relation to their critical or important functions;
- substitutability: the degree of substitutability of the provider considering potential alternatives and the necessary efforts of a potential migration.
To assess these four criteria, the ESAs will rely on a methodology which is specified in a delegated regulation. The assessment involves a two-step analysis: step 1 is a screening against set thresholds quantifying the assessment criteria, and step 2 is an additional qualitative review provided the thresholds have been met. If the service provider is part of a group, the assessment will consider the ICT services provided by the group as a whole. Certain categories of service providers (financial entities which provide ICT services to other financial entities, purely intra-group or domestic providers, and service providers which are already subject to oversight under Art. 127 TFEU such as certain payment systems) are exempt from designation.
Whether an ICT service provider is critical will be determined jointly by the ESAs through their Joint Committee and upon recommendation by its newly established Oversight Forum. Service providers that exceed the thresholds and pass the qualitative review are expected to receive a notification about their “potentially critical” status by the end of July 2025 which will trigger an objection period.
Six-week objection period and final designation
After the aforementioned notification, potentially critical service providers can object to their proposed designation and provide supporting evidence. The objection window will be six weeks, and it is scheduled for August and early September 2025. The ESAs consider reasoned objections before deciding and may request additional information to be submitted within 30 calendar days to facilitate their decision.
The notification of the final decision is planned to be sent by November 2025. With this notification service providers designated as CTPPs will also be informed of the starting date of oversight which shall be no later than one month thereafter. Designated CTPPs must inform their financial entities of the designation, and the ESAs will publish a list.
Should a service provider not included in this list wish to be classified as critical in order to become subject to the oversight regime, it may submit a voluntary opt-in request to be classified as critical.
Commencement of oversight
The oversight shall commence by end 2025. Each CTPP will be assigned one of the ESAs as Lead Overseer. The Lead Overseers will be assisted by Joint Examination Teams, which shall bring the required expertise with a view to the individual CTPPs’ services, and are involving financial supervisors’ staff as well as, where applicable, the CTPPs’ NIS2 supervisors’ staff on a voluntary basis.
As a first step, the Lead Overseer in coordination with the other ESAs will assess whether CTPPs are managing the ICT risk they are posing to financial entities effectively. This “Oversight Risk Assessment Process” or “ORAP” will be renewed on a yearly basis. On its basis, the Lead Overseer will develop an individual oversight plan describing the annual oversight objectives and the main oversight actions and timeline. It will be complemented by a multi-annual strategic oversight plan for all CTPPs which will be updated annually. The oversight will involve ongoing monitoring as well as in-depth reviews with varying intensity on the basis of the Lead Overseers’ powers (i.e., requests for information, investigations, on-site inspections), which may result in recommendations (see below). The oversight may be expanded to include premises located in third-countries, subject to certain conditions (including CTPPs’ consent). The costs of the oversight are levied to the CTPPs’ cohort on an annual basis.
CTPPs which are part of a group are required to designate one legal person as coordination point to facilitate a streamlined dialogue with the Lead Overseer. The ESAs have clarified that they are expecting this entity to be an EU subsidiary and that it has to be fit for purpose with a view to resources and capacity, employees’ level of skill and seniority as well as on-site inspection readiness. Any non-EU CTPPs will need to establish a subsidiary in the EU within 12 months to be able to continue providing services to EU financial entities. It remains to be seen how the ESAs’ interaction with groups’ coordination points will develop in practice, given that DORA suggests oversight is over individual CTPPs only and it does not provide a legal basis for consolidated oversight at group level.
Recommendations to CTPPs and their ties to financial entities’ ICT risk management
DORA’s new oversight regime will complement financial entities’ ICT third-party risk management with a view to mitigating potentially systemic consequences of service provider failures. This complementary approach is reflected in the functioning of the Lead Overseers’ “recommendations”, which tie into financial entities’ risk management obligations:
Should Lead Overseers identify deficiencies during their oversight, they may in coordination and consultation with the other ESAs and competent NIS2 supervisors issue recommendations to CTPPs including with regards to ICT security, conditions and terms for ICT services and subcontracting. Lead Overseers may also request reports specifying the actions that have been taken or the remedies that have been implemented by the critical ICT third-party service providers following such recommendations. If CTPPs decide not to comply, they are required to provide an explanation, and should the Lead Overseer retain its position, the incompliance is made public.
Complementary to this ‘comply or explain enforcement’ vis-à-vis CTPPs, the recommendations and reports are also shared with financial supervisors which are asked to inform financial entities of the identified CTPP risk. In turn, financial entities are required to consider these risks in their ICT third-party risk management (which is subject to supervisory scrutiny). As a matter of last resort, the supervisors may even require financial entities to temporarily suspend the use of a service or to terminate the relevant contractual arrangements. Lead Overseers may issue non-binding and non-public opinions to steer supervisors should they find this necessary to ensure consistent supervisory action vis-à-vis financial entities.
Conclusion
DORA introduces a transformative regulatory framework that directly supervises ICT service providers deemed critical to the stability of the EU financial system. This extends far beyond previous outsourcing guidelines. ICT service providers that meet DORA’s criticality criteria should prepare for a shift comparable to being regulated themselves and financial entities should closely monitor the developments affecting their service providers considering that their oversight may have regulatory consequences for them.