ESAs designate critical ICT third-party providers under DORA
29 Dec 2025
|
On 18 November 2025, the European Supervisory Authorities (EBA, EIOPA, and ESMA) officially designated critical Information & Communication Technology (ICT) third-party providers (CTPPs) under the Digital Operational Resilience Act (DORA). This milestone strengthens the EU's financial sector's operational resilience by ensuring robust oversight of key ICT service providers.
Key highlights:
Role of CTPPs:
- These providers deliver essential ICT services, including infrastructure, business, and data services, to financial entities across the EU.
- They have a pivotal role in maintaining the financial ecosystem's stability.
Objective of the DORA Oversight framework:
- Promote the sound management of ICT risk by the critical providers through direct oversight engagement
- The DORA framework mandates the European Supervisory Authorities to oversee CTPPs, ensuring they implement effective risk management and governance practices.
- This oversight aims to mitigate ICT risks and safeguard the EU financial sector's operational resilience.
The European Supervisory Authorities will continue engaging with designated CTPPs through ongoing examinations to uphold these standards.
For further details, refer to ESMA’s news release, here and the List of Designated CTPPs, here
+-