DORA | ESA Guide on oversight activities for critical ICT third-party providers

The European Supervisory Authorities (being the EBA, EIOPA, and ESMA, "ESAs”) have published a comprehensive guide (the “Guide”) on oversight activities for critical Information and Communication Technology (ICT) third-party providers ("CTPPs”) under the Digital Operational Resilience Act (Regulation (EU) 2022/2554) (“DORA”). This Guide provides a detailed framework for how the ESAs will oversee the most critical technology providers serving the EU financial sector, marking a significant step in strengthening digital operational resilience across European financial markets.

Why DORA oversight matters?

The DORA oversight framework represents a groundbreaking approach to managing ICT risks in the financial sector. Recognising the growing reliance of financial entities on external technology services, DORA introduces a comprehensive oversight mechanism for CTPPs. The framework addresses potential systemic and concentration risks arising from the financial sector's dependence on a limited number of ICT providers, with studies showing that more than 30% of significant banks' ICT budgets are allocated to just 10 providers.

The ESAs are empowered to oversee CTPPs on a pan-European scale. This oversight complements, rather than replaces, financial entities' own responsibilities for managing ICT-related risks and the supervision already exercised over them by competent authorities.

How the oversight framework works?

Designation of critical providers

The ESAs conduct an annual risk assessment to designate ICT third-party service providers as critical based on four key criteria: 

• systemic impact on financial services,
• the systemic importance of financial entities relying on the provider,
• the degree of reliance on the provider's services, and
• the substitutability of the provider. 

The assessment follows a two-step process, applying both quantitative and qualitative criteria to identify providers whose failure could significantly impact the EU financial sector.

Governance structure

The oversight framework operates through a clear governance structure: the Oversight Forum serves as the standing committee for DORA oversight, while the Joint Oversight Network monitors and coordinates oversight activities. For each CTPP, a Lead Overseer is appointed to manage oversight, supported by Joint Examination Teams composed of ESAs and competent authority staff who conduct day-to-day oversight activities.

Oversight activities and tools

The ESAs employ a range of proportionate, risk-based oversight tools: ongoing monitoring through regular interaction with CTPPs, information requests to address specific concerns, general investigations for formal risk area reviews, and on-site inspections for detailed examinations. The framework emphasizes transparency and evidence-based decision-making while protecting confidential information.

Recommendations and follow-up

Following examinations, the ESAs can issue non-binding recommendations to CTPPs addressing identified deficiencies in areas such as ICT security requirements, service terms and conditions, or subcontracting arrangements. CTPPs have 60 days to notify their intention to follow recommendations or provide reasoned explanations for non-compliance. If explanations are deemed insufficient, the ESAs may publicly disclose the CTPP's non-compliance, ensuring transparency and accountability in the process.

Expectations for CTPPs

The Guide establishes clear expectations for CTPPs regarding ESA interactions. Both EU and non-EU CTPPs must designate coordination points or establish EU subsidiaries with sufficient corporate substance to handle oversight. These entities must provide comprehensive information about services to EU financial entities, maintain adequate technical and financial resources, employ appropriately skilled staff, and provide suitable facilities for on-site inspections.

The DORA oversight framework represents a significant evolution in financial sector regulation, establishing the first comprehensive EU-wide oversight mechanism for critical ICT service providers. By creating a structured, transparent, and proportionate approach to managing technology risks, the framework aims to enhance the digital operational resilience of the European financial system while fostering innovation and competition in the ICT services market.