ESAs roadmap for designation of critical ICT third-party service providers under DORA

The European Supervisory Authorities (ESAs) have published a roadmap for the designation of critical ICT third-party service providers (CTPPs) under the EU Digital Operational Resilience Act (DORA). The roadmap of key dates between now and the end of the year. The roadmap sets out four milestones:

• By 30 April, the ESAs will collect the registers of information that financial entities submitted to the competent authorities.
• By the end of July, the ESAs will perform criticality assessments required under DORA and notify third-party service providers if they are classified as critical.
• By the first half of September, there will be a hearing period where ICT third-party service providers may object to the assessment, with a reasoned statement and supporting information.
• By the end of this year, the ESAs will have designated and published the list of CTPPs and started the oversight engagement.

Alongside the roadmap, the European Banking Authority published a press release confirming that ICT third-party service providers not designated as critical may voluntarily request to be designated as critical once the list of CTPPs is published, with details of how to make such a request to be provided soon. The ESAs also plan to organised a workshop with ICT third-party providers in Q2 this year, with details to be published in due course.

Return to main website.