Blog

DORA Oversight of Critical Third-Party Providers

Last Updated on July 16, 2025 by Arnaud Collignon

1. Introduction and Core Purpose

The DORA oversight framework is established to address the growing reliance of financial entities (FEs) on external Information and Communication Technology (ICT) services and the associated systemic and concentration risks. It aims to enhance the overall digital operational resilience across the European Union’s financial areas.

  • Pivotal Role of Technology: Recognising the pivotal role technology plays in the viability and competitiveness of the financial sector, as well as the growing reliance of financial entities (FEs) on external ICT services, the Digital Operational Resilience Act (DORA) introduces a comprehensive oversight framework for critical third-party service providers (CTPPs) of Information and Communication Technologies (ICT).
  • Complementary Framework: This oversight framework complements, rather than replaces, financial entities’ own responsibilities for managing ICT-related risks and the supervision already exercised over them by competent authorities (CA).

2. Key Objectives of DORA Oversight

The framework equips overseers with tools to monitor CTPP activities and their associated risks to the financial sector, ultimately contributing to financial stability.

  • Risk Management Assessment: Overseers assess whether CTPPs have in place comprehensive, sound, and effective rules, procedures, mechanisms and arrangements to manage those risks.
  • Promoting Convergence & Efficiency: The framework contributes to (i) promoting convergence and efficiency in relation to supervisory approaches when addressing ICT third-party risk in the financial sector, and (ii) strengthening the digital operational resilience of FEs relying on CTPPs for the provision of ICT services that support the supply of financial services.
  • Expected Outcomes: Tangible outcomes include:
    • Designation of critical ICT third-party service providers.
    • Development of knowledge and understanding of CTPP services and risks.
    • Identification of areas needing risk mitigation actions.
    • Formalization of actions via specific recommendations to CTPPs.
    • Sharing of relevant oversight information with CAs for FE supervision.

3. Scope and Principles

The DORA oversight framework specifically applies to ICT third-party service providers designated as critical by the European Supervisory Authorities (ESAs). The principles guiding this oversight are consistency, trustworthiness, and transparency.

  • Criticality-Based Scope: The DORA oversight framework applies exclusively to ICT third-party service providers designated as critical by the ESAs.
  • Designation Criteria: Criticality assessment is based on criteria such as systemic impact, interconnectedness, critical nature of services, limited substitutability, and the number and type of financial entities served. These are further elaborated with quantitative and qualitative factors across four domains: systemic impact, systemic character/importance of FEs, reliance of FEs on critical/important functions, and substitutability.
  • Foundational Principles: The ESAs apply a set of principles transversally across the oversight activities to ensure consistency, trustworthiness, and transparency.

4. Governance and Organization

The DORA oversight framework is integrated into the general governance of the ESAs, featuring a multi-layered structure designed for collaboration and efficiency.

  • Lead Overseer (LO): One of the ESAs is designated as the LO for each CTPP, responsible for conducting oversight activities. The LO is the entity primarily in contact with the CTPP on all matters related to the oversight. The LO also charges oversight fees to CTPPs.
  • Joint Examination Teams (JETs): The LO is supported by JETs, comprised of staff from the ESAs, relevant CAs supervising FEs, and, on a voluntary basis, national CAs under NIS 2 supervising the CTPP and national CAs from the CTPP’s established Member State. JETs assist and support the overseers in performing the oversight activities.
  • Joint Oversight Venture (JOV): The three ESAs have established a DORA joint oversight venture (JOV) led by a Joint Oversight Director to maximise synergies, ensure consistency in the oversight tasks and to achieve a more efficient use of resources. This ensures a cross-sectoral integrated approach to day-to-day oversight.
  • Oversight Forum (OF): A standing committee of the ESAs dedicated to DORA oversight, serving as a Joint Committee sub-committee. It carries out preparatory work both for certain individual acts addressed to CTPPs, and for the issuing of collective recommendations by the JC, ensuring a consistent approach to oversight activities.
  • Joint Oversight Network (JON): Set up by the overseers to coordinate the conduct of oversight activities over CTPPs.
  • Role of CAs: Competent Authorities (CAs) play a crucial role by participating in the conduct of oversight activities by involving expert staff to the JETs and they steer the outcomes of these activities through their membership within the governance bodies. They also inform overseers of material issues identified during their supervision of FEs.

5. DORA Oversight Activities and Processes

The oversight framework involves a cyclical process of designation, risk assessment and planning, examinations, and recommendations with follow-up.

  • Annual Designation: ESAs annually publish a list of CTPPs based on criticality assessment, informed by data from FEs’ Registers of Information. ICT TPPs not designated can voluntarily opt-in for assessment.
  • Risk Assessment and Planning: Annually, overseers conduct a Oversight Risk Assessment Process (ORAP) to define the intensity and priorities of oversight activities. This leads to individual annual oversight plans per CTPP and (ii) an overarching internal multi-annual oversight plan.
  • Examinations: These are tasks to evaluate a CTPP’s risk situation and include:
    • Ongoing Regular Monitoring: Continuous interaction and information gathering (e.g., periodic reports, meetings) to maintain understanding of the CTPP’s operations and risks.
    • Requests for Information (RfI): Tools to request information from CTPPs, either by ‘Simple Request’ (no financial penalties for missing deadlines, but information must be accurate) or by ‘Decision’ (formal, with potential penalties for non-compliance).
    • General Investigations: Formal reviews covering specific risk areas, initiated by a decision. They can be Regular, Thematic, Targeted, or Follow-up investigations.
    • Inspections: More intrusive examinations conducted at CTPP premises (head offices, operational buildings) or off-site, aiming for a deeper understanding of business operations, risk management, and internal controls.
    • Recommendations and Follow-up:Recommendations: Non-binding recommendations addressing identified deficiencies in CTPPs’ ICT risk management, security, terms, or subcontracting arrangements. They include an indication of sensitivity and priority for remediation. CTPPs have 30 days to provide evidence of expected impact on non-FE customers and propose mitigation.
    • Follow-up: CTPPs are requested to submit remediation plans and progress reports. If a CTPP decides not to follow a recommendation, it must provide a reasoned explanation. If deemed insufficient, DORA mandates publicly disclose the CTPP’s identity, including information about the type and nature of the non-compliance. In such cases, CAs may issue warnings to FEs or require suspension/termination of services.
  • Oversight Activities Outside the Union: Overseers can exercise powers in third countries for necessary oversight activities directly related to services to Union FEs, provided the CTPP consents and the relevant third-country authority is notified and raises no objections. Administrative cooperation arrangements with third-country authorities are essential.

6. Key Expectations for CTPP Coordination Points/Subsidiaries

Once designated as critical, CTPPs are expected to collaborate with overseers and establish robust coordination points or subsidiaries, particularly for non-EU CTPPs.

  • Coordination Point/Subsidiary Requirements: EU-CTPPs must designate an EU-established legal person as a coordination point, and non-EU CTPPs must establish a subsidiary in the Union.
  • Corporate Structure and Staff Seniority: Expected to be proportionate to the nature, scale, complexity of the CTPP’s business.
  • Capacity and Authority: Must have the capacity to provide the overseers with sufficient information, authority, technical capacity, equipment, business premises and financial resources to pull the type of information,ability to provide the overseers with all the relevant accounting and financial information for fee calculation, and access to the financial resources to cover the yearly payment of oversight fees or… periodic penalty payment.
  • Staffing and Management: A sufficient number of staff with appropriate knowledge and competence and management with sufficient authority and knowledge to commit the CTPP on the oversight activities are expected.
  • Business Office Space: Sufficient space is required to allow the conduct of on-site inspections by the JETs.

This briefing summarizes the critical aspects of the DORA oversight framework for CTPPs, emphasizing its structured approach to identifying, assessing, and mitigating ICT-related risks within the EU financial sector.

https://www.esma.europa.eu/sites/default/files/2025-07/JC_2025_29__DORA_Guide_on_oversight_activities.pdf