The European Supervisory Authorities (ESAs – EBA, EIOPA and ESMA) are making progress in establishing a pan-European oversight framework of critical ICT third-party service providers (CTPPs). Their goal is to designate the CTPPs and to begin oversight activities this year.

The CTPP designation will involve the following steps:

• Information collection: By April 30, 2025, national Competent Authorities must submit to the ESAs their Registers of Information on ICT third-party arrangements they received from financial entities.
• Criticality assessments: The ESAs will conduct criticality assessments mandated by the Digital Operational Resilience Act (DORA). ICT third-party service providers will be notified of their critical classification by July 2025, giving them six weeks to object to the assessment with a reasoned statement and supporting information.
• Final designation: Following the six-week period, the ESAs will finalize the CTPP designations and initiate oversight engagement.

ICT third-party service providers not initially designated as critical may voluntarily request critical status after the CTPP list is published. Details on how to request this will be provided soon.

Oversight activities

The ESAs have been developing the necessary governance, procedures and methodologies to conduct their oversight activities. To maximize synergies, ensure consistent oversight, and promote efficient resource use, they established a joint DORA oversight function in October 2024, led by a joint director. This function will facilitate an integrated approach to daily oversight across all sectors.

Next steps: Industry workshop

To clarify preparatory activities, the designation process and the ESAs’ oversight approach, the ESAs plan to host an online workshop for ICT third-party providers in the second quarter of 2025. Specific date details will be announced later.