The ESAs Take the Next Step in Overseeing Critical Third-Party Service Providers Under DORA

Key Takeaways

• CTPP Designation Process: The ESAs will collect information on third-party arrangements and perform criticality assessments in 2025, designating critical service providers by July 2025.
• Third-Party Risk Oversight: The ESAs have established a joint oversight function to ensure consistency and efficiency in managing third-party risk across the financial sector.
• Opportunities for Voluntary Designation: Non-designated service providers can request voluntary designation once the final list of CTPPs is published.

Deep Dive

The European Supervisory Authorities (ESAs) are trying to pave the way for a stronger regulatory oversight framework, and their latest initiative is a clear and deliberate step towards tackling third-party risk, particularly concerning critical ICT service providers under the EU’s Digital Operational Resilience Act (DORA).

As the financial sector relies on external service providers for essential technology solutions more and more, managing the risks associated with these third-party relationships has become a pressing issue. The ESAs are now actively working to designate and oversee Critical ICT Third-Party Providers (CTPPs) in 2025, a move aimed at ensuring that the sector remains secure, reliable, and resilient in the face of evolving cyber threats.

A Roadmap for Designating Critical Third-Party Providers

The process of identifying and designating critical service providers will be methodical, transparent, and structured. Here’s how it’s all unfolding:

1. Collecting the Registers of Information: By 30 April 2025, Competent Authorities across EU member states will submit their Registers of Information to the ESAs, detailing the third-party arrangements financial entities have in place. These registers are crucial in providing the data the ESAs need to assess which providers are critical.
2. Criticality Assessments: Once the data is gathered, the ESAs will perform criticality assessments as mandated by DORA. By July 2025, they will notify ICT third-party service providers of their status, classifying them as critical or not. If service providers disagree with this assessment, they’ll have six weeks to provide a reasoned objection.
3. Final Designation: After the objection period, the ESAs will finalize the designation of CTPPs and start engaging with them on oversight activities. Service providers who aren’t initially designated as critical will still have the opportunity to request that designation once the final list is published.

The ESAs are ensuring a unified, collaborative approach to the oversight of CTPPs. Since October 2024, they’ve been running a joint oversight function, with a dedicated Director leading the charge. This streamlined structure will allow the ESAs to tackle third-party risks in a coordinated and efficient manner, ensuring consistency across the different financial sectors.

The goal is to build a regulatory framework that not only helps financial entities manage the risks posed by their third-party relationships but also ensures that the oversight is integrated, resource-efficient, and proactive in preventing potential disruptions.

Market Engagement

To ensure that the financial market is prepared for what lies ahead, the ESAs are planning an online workshop with ICT third-party providers in the second quarter of 2025. This session will be a key opportunity to share insights on the designation process, the ESAs' oversight approach, and what service providers can expect as they enter this new phase of regulatory engagement.

The implementation of DORA, which officially came into force on 17 January 2025, represents a milestone for the EU financial sector. This regulation is designed to ensure that financial entities are not only prepared for operational disruptions but also able to manage the risks posed by their critical third-party suppliers. It’s about ensuring the integrity and continuity of financial operations, even in the face of technological failures or cyber threats.

DORA is more than just a set of rules. It’s also part of a broader EU effort to foster a more resilient digital economy. With the oversight of CTPPs as a cornerstone of this effort, the ESAs are ensuring that these critical service providers are subject to the same level of scrutiny as the financial institutions they serve.

Compliance, Risk, & the Future of Third-Party Management

For financial entities, third-party risk isn’t something to be taken lightly. As the digital landscape continues to evolve, it’s essential that businesses take proactive steps to not only understand the regulations but also apply them effectively. For third-party providers, this means being prepared for heightened scrutiny and ensuring that their operations meet the highest standards of resilience.

The ESAs' upcoming workshop will be a valuable resource, helping the market stay ahead of the curve. But beyond compliance, the real opportunity lies in building stronger, more resilient partnerships between financial entities and their service providers. The future of risk management involves a more integrated approach to oversight that not only meets regulatory standards but enhances trust and stability across the entire sector.

By prioritizing third-party risk and offering a structured approach to compliance, the ESAs are shaping a more resilient, secure financial sector. It’s not just about ticking boxes—it’s about preparing for the challenges ahead and ensuring that the financial services ecosystem remains robust in an increasingly digital world.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.