News

European Supervisory Authorities published a roadmap to designate critical ICT third-party service providers under the Digital Operational Resilience Act

19 February 2025

Key takeaways

The European Supervisory Authorities (“ESAs”) published a roadmap to designate critical ICT third-party service providers (“CTPPs”) under the Digital Operational Resilience Act (“DORA”).

To designate an ICT third-party service provider as “critical”, the ESAs will follow a series of steps listed in the roadmap.

ICT third-party service providers can object to the ESAs’ classification, provided the objection is supported with an explanation and corresponding evidence.

In the second quarter of 2025, the ESAs plan to hold an online workshop with ICT third-party service providers, where they aim to cover information relating to the designation process and oversight approach.

On 18 February 2025, the European Supervisory Authorities (“ESAs”) published a roadmap to designate critical ICT third-party service providers (“CTPPs”) under the Digital Operational Resilience Act (“DORA”).This is a significant step in the EU's efforts to enhance the digital resilience of the financial sector through the first-of-its-kind Oversight Framework that will bring important IT suppliers directly within the supervisory powers of financial regulators.

What has happened

On 18 February 2025, the European Supervisory Authorities (“ESAs”)—EBA, EIOPA, and ESMA – have published a roadmap to designate critical ICT third-party service providers (“CTPPs”)—third-party service providers, such as cloud services and data hosting companies, that are critical to the functioning of financial entities under the Digital Operational Resilience Act (“DORA”) (an overview on DORA is available in our previous Our Thinking article here) .This is a significant step in the EU's efforts to enhance the digital resilience of the financial sector through the first-of-its-kind Oversight Framework that will bring important IT suppliers directly within the supervisory powers of financial regulators.

What does the roadmap look like

To designate an ICT third-party service provider as “critical”, the ESAs will follow a series of steps:

By 30 April 2025, the Competent Authorities must submit the Registers of Information to the ESAs. These registers will list information regarding all ICT third-party arrangements that the financial entities have submitted to the authorities.
By July 2025, the ESAs will carry out the “criticality assessments” and notify the affected ICT third-party service providers if they have been classified as critical. This notification will trigger a six-week period during which the service providers can object to the ESAs’ classification, provided it is supported with an explanation and corresponding evidence – this is known as the “hearing period”.
After the six-week hearing period expires, the ESAs will make their designation of critical providers and begin their oversight activities. Providers not initially designated as critical may choose to request criticality status once the final list is published.

The oversight framework and setup of the joint ESAs oversight function

The ESAs have been developing governance structures, methodologies, and procedures required to oversee the CTPPs. In order to maximise efficiency and ensure consistent application of DORA, the ESAs established a joint oversight function in October 2024. This function, led by a joint Director, allows the ESAs to streamline and integrate their oversight efforts, enabling them to effectively carry out their day-to-day responsibilities.

Next steps

In the second quarter of 2025, the ESAs plan to hold an online workshop with ICT third-party service providers, where they aim to cover information relating to the “preparatory activities, the designation process and on the ESAs’ oversight approach”. More details, including the exact date, will be shared by the ESAs in the future.

Authored by Louise Crawford and Vera Mayzel.