top of page
Search

The ESAs' Guide on DORA Oversight Activities for Critical Third-Party Providers (CTPPs)

Executive Summary


This report summarises the "Guide on Oversight Activities" for the Digital Operational Resilience Act (DORA), published by the European Supervisory Authorities (ESAs) on 15 July 2025. The guide details the new European framework for the direct oversight of Critical Third-Party Providers (CTPPs) of ICT services, establishing a significant shift in regulatory focus.


The core objective of this framework is to enhance the digital resilience of the EU financial sector by monitoring CTPPs, harmonising supervisory practices, and mitigating systemic concentration risks. A new, multi-layered governance structure, led by a designated Lead Overseer (LO) for each CTPP, will execute oversight through a range of activities, including ongoing monitoring, formal investigations, and on-site inspections.


The implications for firms are substantial. CTPPs will face increased scrutiny, compliance burdens, and direct costs, with non-compliance potentially leading to public censure and financial penalties. Financial Entities must enhance their due diligence, prepare for potential service disruptions if their CTPPs fail to meet DORA standards, and expect greater supervisory focus on their third-party dependencies. In essence, DORA extends regulatory oversight beyond financial entities to directly include the critical technology providers that form the backbone of the modern monetary system.

ree

1. Introduction


On 5 July 2025, the European Supervisory Authorities (EBA, EIOPA, and ESMA) published a comprehensive "Guide on Oversight Activities" regarding the Digital Operational Resilience Act (DORA). This guide specifically addresses the new European framework for overseeing Critical Third-Party Providers (CTPPs) of ICT services. While this document serves as a user-friendly guide to the oversight framework, it is essential to note that it does not have legal effect and is not a substitute for the legal requirements stipulated in European Union law.

This report provides a structured summary of the guide, detailing the DORA oversight framework, the key actors involved, the scope of oversight activities, and the significant implications for both CTPPs and the financial entities that rely on their services.


2. Summary of the DORA Oversight Framework for CTPPs


DORA establishes a pioneering framework to fortify the digital operational resilience of the EU's financial sector. This is achieved through direct oversight of ICT service providers deemed critical to the functioning of economic entities.


2.1. Key Objectives


The primary goals of the DORA oversight framework are to:


  • Monitor and Assess Risks: Equip the European Supervisory Authorities (ESAs) to effectively monitor the activities of CTPPs and the risks they may pose to the financial sector, ensuring these providers maintain robust risk management procedures.

  • Promote Convergence: Foster a consistent and harmonised supervisory approach to ICT third-party risk across the entire EU financial sector.

  • Strengthen Resilience: Enhance the digital operational resilience of financial entities (FEs) that rely on CTPPs for their critical or essential functions.

  • Mitigate Systemic and Concentration Risks: Address the potential systemic threats that arise from the financial sector's heavy reliance on a small number of dominant ICT providers.


2.2. Core Principles


The framework is designed to be:


  • Consistent: Ensuring a uniform approach across sectors and jurisdictions.

  • Trustworthy: Building confidence in the oversight process.

  • Proportional: Tailoring oversight activities to the level of risk posed by the CTPP.

  • Transparent: Providing clarity to all stakeholders on the processes and outcomes.


3. Key Actors and Governance Structure


A multi-layered governance structure has been established to implement the oversight framework, ensuring cross-sectoral cooperation and consistency.


  • European Supervisory Authorities (ESAs): The European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA) are collectively empowered to oversee CTPPs.

  • Lead Overseer (LO): For each designated CTPP, one of the three ESAs is appointed as the LO. The LO serves as the primary point of contact and is responsible for leading and coordinating all oversight activities for that CTPP.

  • Joint Committee (JC): As the most senior cross-sectoral body of the ESAs, the JC is responsible for adopting key decisions, including the formal designation of CTPPs.

  • Oversight Forum (OF): A dedicated standing committee that performs preparatory work for the JC and ensures a consistent strategic approach to DORA oversight.

  • Joint Oversight Network (JON): Coordinates the practical execution of oversight activities for all CTPPs.

  • Joint Examination Teams (JETs), composed of staff from the ESAs and relevant national Competent Authorities, assist the LO in conducting specific oversight examinations.

  • DORA Joint Oversight Venture (JOV): A collaborative body established by the ESAs to maximise synergies and ensure an integrated, cross-sectoral approach to the day-to-day execution of oversight.

  • Competent Authorities (CAs): National supervisory bodies that participate in oversight activities, provide the ESAs with information on material issues, and use the insights from CTPP oversight to inform their direct supervision of financial entities.


4. The Oversight Cycle and Activities


The guide outlines a structured, cyclical process for CTPP oversight, involving several distinct stages and activities.


4.1. Designation


Annually, the ESAs will designate CTPPs based on a set of clear criteria, including their systemic impact, their importance to a significant number of FEs, the reliance of FEs on their services for critical functions, and the difficulty of substituting them. Designated CTPPs will be subject to oversight fees. The framework also allows non-designated providers to voluntarily "opt in" for assessment.


4.2. Risk Assessment & Planning


An annual risk assessment is conducted for each CTPP. The findings inform the creation of an individual Annual Oversight Plan for that CTPP and contribute to a broader multi-annual strategic plan for oversight activities.


4.3. Examinations


The LO can deploy a range of examination tools, varying in intensity:


  • Ongoing Regular Monitoring: Continuous interaction with the CTPP to collect data and analyse its organisational structure, business model, and risk profile.

  • Requests for Information (RfI): Formal requests, which can be simple or issued "by decision," to gather specific information or clarify potential issues.

  • General Investigations: More formal reviews of specific risk areas, initiated by a decision, to conduct an in-depth analysis of the CTPP's practices.

  • Inspections: The most intrusive form of examination, typically conducted on-site at the CTPP's premises to gain a deep understanding of its operations, risk management, and internal controls.


4.4. Recommendations and Follow-ups


Following examinations, overseers will issue non-binding recommendations to address identified shortcomings. The CTPP must formally notify the LO of its intention to adhere to these recommendations and submit a detailed remediation plan. A CTPP's failure to follow a recommendation can, after a formal process, lead to the public disclosure of its non-compliance.


4.5. Oversight Processes


The guide outlines the administrative procedures for all oversight activities, including requirements for written authorisations and formal decision-making processes. It also outlines the protocol for conducting oversight activities outside the EU, which requires the CTPP's consent and notification to the relevant authorities of the third countries.


5. Firm Implications


The DORA oversight framework carries significant implications for both ICT providers and the financial entities they serve.


5.1. For Critical Third-Party Providers (CTPPs)


  • Increased Scrutiny and Compliance: CTPPs face continuous and in-depth oversight, requiring them to maintain and demonstrate robust ICT risk management, governance, and resilience frameworks.

  • Formalised Interaction: CTPPs must establish a dedicated coordination point (for EU-based firms) or a subsidiary within the Union (for non-EU firms) to act as the primary liaison with the Lead Overseer.

  • Accountability and Reputational Risk: Failure to address recommendations can lead to public disclosure, posing a significant reputational risk that could affect client trust and market standing.

  • Financial Obligations: CTPPs are required to pay annual oversight fees. They may also face periodic penalty payments for failing to comply with specific binding requests, such as a formal Decision RfI.

  • Comprehensive Data Provision: CTPPs are obligated to provide extensive data and documentation upon request, including organisational charts, ICT budgets, security test results, and financial statements.

  • Operational Adjustments: Recommendations may force CTPPs to make material changes to their security protocols, service quality, or subcontracting arrangements.


5.2. For Financial Entities (FEs)


  • Enhanced Due Diligence: While oversight complements FE responsibilities, FEs must ensure that their third-party risk management aligns with the heightened standards and scrutiny applied to their CTPPs.

  • Improved Risk Awareness: Competent Authorities will use information from CTPP oversight in their supervision of FEs. FEs should anticipate more informed and targeted questions about their ICT and third-party risks.

  • Potential for Service Disruption: In cases of serious CTPP non-compliance, CAs may, as a last resort, require FEs to suspend or terminate their contracts. This underscores the critical need for FEs to have robust and tested exit strategies.

  • Focus on Concentration Risk: FEs should expect increased supervisory focus on their concentration of critical services with a limited number of CTPPs.

  • Collaboration with Regulators: FEs must maintain open communication with their CAs regarding any issues they identify with their CTPPs, as this information is valuable to the broader oversight framework.


6. Conclusion


The ESAs' guide on DORA oversight activities signals a fundamental shift toward a more proactive, harmonised, and intrusive regulatory regime for ICT providers that are critical to the EU financial system. The framework is designed to move beyond simply regulating financial entities to directly overseeing the digital infrastructure upon which they depend. Both Critical Third-Party Providers and Financial Entities must prepare to adapt their strategies, governance, and operational processes to meet the new, higher standards of digital operational resilience demanded by DORA.


 
 
 

Comments

bottom of page