EU Authorities Designate Critical ICT Providers Under Digital Operational Resilience Act

The European Supervisory Authorities (EBA, EIOPA, and ESMA – the ESAs) publish today the list of designated critical ICT third-party providers (CTPPs) under the Digital Operational Resilience Act (DORA). This designation marks a crucial step in the implementation of the DORA oversight framework. The list of the CTPP designated by the ESAs is accessible through this link. The designation process followed the methodology mandated by DORA. First, the ESAs collected data from the Registers of Information maintained by financial entities, which detail their contractual arrangements for ICT services. Second, the ESAs conducted a detailed criticality assessment in cooperation with the Competent Authorities (CAs) across the EU from the banking, insurance, pensions, and securities sectors. This assessment followed DORA's multifaceted criteria. It required a complete evaluation of a provider’s systemic importance, its role in supporting critical functions for financial entities, and the level of substitutability of its services. Third, ICT third-party providers assessed as critical were formally notified, after which they benefitted from their right to be heard by providing a reasoned statement. The final designation decisions were adopted following a careful review of all relevant information, ensuring the integrity of the process. The designated CTPPs provide a range of ICT services (e.g., from core infrastructure to business and data services) to financial entities of all types and sizes across the European Union, reflecting their pivotal role within the financial ecosystem. The DORA Oversight Framework, mandated to the ESAs, aims to promote sound ICT risk management by critical providers. Through direct oversight, ESAs will assess if CTPPs have appropriate risk management and governance frameworks. This ensures the resilience of services delivered to financial entities. It mitigates risks that could impact the operational resilience of the EU's financial sector. The ESAs will keep engaging with CTPPs in the course of upcoming examination activities.