DORA: Designation of Critical ICT Third Party Providers

Enhancing Financial Stability: The Designation of Critical ICT Third Party Providers, DORA and Beyond

The Digital Operational Resilience Act (“DORA”) is now a familiar regulation across the EU’s financial sector, designed to strengthen the digital operational resilience of financial entities. Effective from 17 January 2025, DORA introduced a comprehensive framework to address the industry’s growing reliance on technology providers and to mitigate cyber and operational risks. Financial entities have been revising their contractual arrangements with ICT third-party providers (“ICT TPPs”) to align with DORA’s third-party risk management requirements.

Critical ICT Third-Party Provider Regime: A Dual Perspective

While early attention has focused on financial entities’ compliance, regulatory focus is now on its oversight framework for critical ICT third-party providers (“CTPPs”). This framework empowers the European Supervisory Authorities - the EBA, EIOPA and ESMA (“ESAs”) to directly oversee the activities and risks posed by CTPPs to the EU’s financial system.

For Financial Entities:

The regime is one of the ways to address growing concerns over the sector’s dependence on a small number of ICT TPPs—many of whom are global in scale—whose failure in certain services they provide to financial entities could pose systemic risk. By introducing direct oversight of critical ICT providers, DORA reinforces financial entities’ own risk management efforts and promotes a coordinated approach to preventing systemic disruptions.

For ICT TPPs:

For ICT TPPs, particularly those that may be designated as CTPPs, the regime introduces a new layer of regulatory oversight. Providers should prepare for the possibility of designation (we understand the net for designation will be cast more widely than initially thought) and the associated responsibilities, including compliance with the ESAs’ oversight requirements.

Overview of the Designation Process: What It Means for Financial Entities and ICT TPPs

The designation process for CTPPs under DORA began in April–May 2025 with the data collection phase, during which financial entities submitted their Registers of Information to national competent authorities. This submission formed the foundation for the criticality assessment, which is currently underway by the ESAs. The assessment is being conducted in accordance with Article 31 of DORA and considers four key criteria:

• the potential systemic impact on the stability, continuity, or quality of financial services if the provider were to suffer a large-scale operational failure;
• the systemic importance of the financial entities that rely on the provider;
• the concentration of reliance on the provider for critical or important functions across multiple fin
  ancial entities; and
• the degree of substitutability of the provider’s services.

To evaluate these criteria, the ESAs are applying a two-step methodology set out in the delegated regulation. This involves a combination of quantitative and qualitative measures across 11 distinct sub-criteria. Providers that meet the initial six quantitative thresholds will then be assessed against an additional five qualitative sub-criteria to determine whether they should be formally designated as CTPPs.
Later this month, the ESAs are expected to begin notifying ICT TPPs identified as potentially critical. These providers will then have a six-week window to respond and provide any relevant feedback. Following this, between October and November, the ESAs will finalise their assessments and issue formal designations of CTPPs and from December 2025 onwards, designated providers will enter the supervision phase.

Governance and Supervision

What should CTPPs expect?

CTPPs will be subject to a multi-layered oversight structure, including being assigned a Lead Overseer (LO). LOs will conduct risk assessments informed by the previous year’s examination activities, as well as other inputs from financial entities—such as incident reports, and information from the CTPPs. These assessments will help LOs prioritise oversight activities and determine the appropriate level of supervisory intensity. Each LO will also develop an annual oversight plan, setting out supervisory objectives, key priorities, planned activities, and timelines for the year ahead. Based on their findings, LOs may issue recommendations to CTPPs on matters such as ICT security, service conditions, and subcontracting arrangements.

What this means for financial entities

CTPPs are expected to formally notify the LO of their intention to comply with recommendations made to them. Where a CTPP fails to do so, competent authorities may alert financial entities to the associated risks and, where appropriate, take supervisory action. ESAs may issue non-binding, non-public opinions to competent authorities if a CTPP’s non-compliance is deemed to pose a risk. This could prompt financial entities to reassess their relationship with the provider and, in some cases, lead to recommendations to suspend or terminate the arrangement.

Who else?

Not all ICT TPPs will be designated as CTPPs. Financial entities should be aware of exclusions, such as providers already subject to EU-level oversight (e.g., central banking functions) or intra-group service providers. ICT TPPs operating exclusively within a single EU member state or those supporting central banking functions are also unlikely to be designated. Providers should assess whether they fall within the scope of DORA’s designation regime.

ICT TPPs may also choose to self-designate as CTPPs, which might be surprising given the regulatory burden and responsibility for funding the costs of the oversight regime. However, there are several potential advantages to doing so. Self-designation can offer a competitive edge by signalling a proactive approach to ICT risk management and a willingness to subject internal systems to regulatory scrutiny. It may also help ensure that internal processes are made yet more robust and resilient in the face of potential failures or disruptions (which is naturally central to the success, resilience and reputations of ICT TPPs themselves).

A Parallel Approach: The UK’s CTP Regime

While DORA sets the standard for ICT oversight across the EU, it’s not the only regime taking shape. The UK has introduced its own framework for supervising critical third-party providers (“UK CTP Regime”) (see our earlier article on the UK CTP Regime here), reflecting a similar recognition of systemic risk—but with some key differences in scope and implementation. Understanding how the UK’s approach compares can help multinational service providers prepare for both regimes and anticipate regulatory expectations across jurisdictions. Announcements for the first designations in the UK are expected in the second half of 2025.

Getting ahead: Practical Steps for ICT TPPs

Most ICT TPPs working with financial institutions should already be engaging with their financial entity customers on their contractual uplifts. For ICT TPPs that may fall within scope of designation as a CTPP, early preparation is essential. Key steps include:

• Appoint an EU coordination hub: Non-EU providers may need to identify an EU subsidiary capable of acting as the central point of contact with the ESAs. This is a requirement under DORA, and being based outside the EU does not exempt a provider from designation.
• Build operational resilience: Ensure the designated entity has the authority, infrastructure, and skilled personnel to manage regulatory requests and support on-site inspections.
• Enable transparency: Be prepared to provide timely access to service and financial data, including information required for oversight fee calculations.
• Engage proactively: Establish a structured approach to regulatory dialogue, with senior leadership empowered to respond to supervisory recommendations.

Conclusion: A Shared Responsibility

As financial regulators sharpen their focus on operational resilience, DORA marks a significant shift in how ICT risk is managed across the EU financial sector. The designation of CTPPs introduces a new layer of regulatory oversight and scrutiny—one that reflects the systemic importance of technology providers in today’s financial ecosystem.

For Financial Entities:

For financial entities, designation and regulation of CTTPs (and potentially the augmentation of their risk management controls and resilience) is of great interest and may well offer further assurances to the financial entities. Having said that, use of a CTTP (rather than any other ICT TPP) does not reduce or remove a financial entity’s own regulatory obligations (it is a common misconception that this might be the case).

For ICT Providers:

For tech companies, this is more than a compliance exercise. It’s an opportunity to demonstrate maturity in operational risk management, transparency, and governance. Those that act early—by strengthening internal coordination, investing in oversight readiness, and engaging proactively with regulators—will not only ease the path through designation but also position themselves as trusted, long-term partners to financial institutions.
With parallel regimes emerging in the UK and beyond, the message is clear: regulatory expectations are rising, and digital resilience is now a shared responsibility.