On 18 February 2025, the European Supervisory Authorities (ESAs)—the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA)—published a roadmap outlining the key steps for the designation of critical ICT third-party service providers (CTPPs) under the Digital Operational Resilience Act (DORA). (Source: ESMA)
Key Steps in the CTPP Designation Process for 2025:
- Collection of ICT Third-Party Registers (by 30 April 2025):
National competent authorities (NCAs) must submit to the ESAs the registers of third-party ICT service arrangements received from financial entities. - Criticality Assessments (by July 2025):
The ESAs will assess ICT third-party service providers to determine their criticality. Those classified as critical will be notified and will have six weeks to challenge the designation by providing supporting evidence. - Final Designation and Supervision Engagement:
After the challenge period, the ESAs will finalize the CTPP designation and initiate supervisory activities with the designated providers.
Non-designated ICT third-party service providers will have the opportunity to voluntarily request a designation once the official list of CTPPs is published. Further details on this process will be provided at a later stage.
Strengthening Supervisory Coordination Under DORA
Since October 2024, the ESAs have been preparing for the joint supervisory function under DORA, led by a Common Director. This approach aims to enhance coordination, ensure consistency in supervision, and optimize resource allocation.
To further clarify the designation process and the ESAs' supervisory approach, an online workshop with ICT service providers is planned for Q2 2025. More details will be announced in due course.