ESAs publish DORA oversight guide
16 July 2025 Belgium
Image: Harvinder/stock.adobe.com
The European Supervisory Authorities (EBA, EIOPA, and ESMA) have published a new guide detailing their oversight approach for critical third-party ICT service providers (CTPPs) under the Digital Operational Resilience Act (DORA), as implementation of the regulation advances across the financial sector.
The guide provides financial institutions and service providers with a high-level overview of the governance structure, processes, and supervisory tools the ESAs will use to oversee designated CTPPs — firms whose ICT services are deemed critical to the EU’s financial system. It also clarifies the roles of Joint Examination Teams (JETs), Lead Overseers, and national competent authorities in conducting monitoring, investigations, and on-site inspections.
The DORA framework, which has applied from 17 January 2025, introduces a harmonised EU-wide approach to ICT risk management and operational resilience. It covers more than 20 categories of financial entities and aims to reduce systemic risk by establishing direct regulatory oversight over the external technology providers many firms rely on.
Market participants — particularly CSDs, CCPs, trading venues, and firms using cloud and data services from designated CTPPs — will be subject to enhanced scrutiny, with regulators able to issue non-binding recommendations and impose oversight fees. Financial entities may also be required to adjust their third-party risk management frameworks based on findings shared by the ESAs.
The oversight guide confirms that the first round of CTPP designations will be completed by the end of 2025, with oversight activity becoming fully operational in early 2026. Criticality assessments are based on a range of quantitative and qualitative criteria, including the systemic importance of the services provided and the lack of viable substitutes.
The ESAs are expected to publish a list of designated CTPPs later this year, following a formal consultation and objection period. The guide also outlines expectations for both EU and non-EU providers, including the need for coordination points or subsidiaries within the Union to ensure cooperation with the oversight teams.
The new framework marks a shift in how digital infrastructure risk is managed across EU capital markets — and will require firms and vendors alike to be ready for more structured engagement with supervisory bodies.
The guide provides financial institutions and service providers with a high-level overview of the governance structure, processes, and supervisory tools the ESAs will use to oversee designated CTPPs — firms whose ICT services are deemed critical to the EU’s financial system. It also clarifies the roles of Joint Examination Teams (JETs), Lead Overseers, and national competent authorities in conducting monitoring, investigations, and on-site inspections.
The DORA framework, which has applied from 17 January 2025, introduces a harmonised EU-wide approach to ICT risk management and operational resilience. It covers more than 20 categories of financial entities and aims to reduce systemic risk by establishing direct regulatory oversight over the external technology providers many firms rely on.
Market participants — particularly CSDs, CCPs, trading venues, and firms using cloud and data services from designated CTPPs — will be subject to enhanced scrutiny, with regulators able to issue non-binding recommendations and impose oversight fees. Financial entities may also be required to adjust their third-party risk management frameworks based on findings shared by the ESAs.
The oversight guide confirms that the first round of CTPP designations will be completed by the end of 2025, with oversight activity becoming fully operational in early 2026. Criticality assessments are based on a range of quantitative and qualitative criteria, including the systemic importance of the services provided and the lack of viable substitutes.
The ESAs are expected to publish a list of designated CTPPs later this year, following a formal consultation and objection period. The guide also outlines expectations for both EU and non-EU providers, including the need for coordination points or subsidiaries within the Union to ensure cooperation with the oversight teams.
The new framework marks a shift in how digital infrastructure risk is managed across EU capital markets — and will require firms and vendors alike to be ready for more structured engagement with supervisory bodies.
NO FEE, NO RISK
100% ON RETURNS If you invest in only one securities finance news source this year, make sure it is your free subscription to Â鶹´«Ã½ Finance Times
100% ON RETURNS If you invest in only one securities finance news source this year, make sure it is your free subscription to Â鶹´«Ã½ Finance Times
