ESAs publish official list of designated critical CTPPs under DORA

The European Supervisory Authorities, referred to as ESAs (comprising the European Banking Authority, European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority) have published the official list of designated critical ICT third-party providers (CTPPs) under the Digital Operational Resilience Act (DORA). This designation followed a structured process involving data collection from financial entities' ICT service registers, a criticality assessment in cooperation with national competent authorities and a notification process to those CTPPs identified as critical, after which they benefitted from their right to be heard by providing a reasoned statement. The final designation decisions were adopted following a careful review of all relevant information. Designated CTPPs, which deliver essential ICT services across the EU financial sector, will now be subject to direct oversight by the ESAs to ensure they have appropriate risk management and governance frameworks in place. The ESAs will continue engaging with CTPPs in the course of upcoming examination activities.

Return to main website.