Greg Kilminster
Head of Product - Content
The European Supervisory Authorities (ESAs) – comprising the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) – have issued a new guide detailing the oversight framework for critical third-party providers (CTPPs) under the Digital Operational Resilience Act (DORA). The document aims to provide clarity on how technology service providers to the financial sector will be supervised across Europe, enhancing the overall digital resilience of the Union's financial system. The guide is designed to offer a user-friendly overview of DORA's oversight mechanisms for critical ICT third-party service providers.
What is the goal of this DORA guide?
The financial sector's increasing reliance on external information and communication technology (ICT) services has brought about new systemic and concentration risks. DORA introduces a comprehensive framework specifically to address these challenges, complementing rather than replacing financial entities' existing responsibilities for managing ICT-related risks.
The DORA oversight framework applies exclusively to ICT third-party service providers officially designated as 'critical' by the ESAs. This designation is based on an annual assessment considering factors such as systemic impact on financial stability, the importance of the financial entities served, reliance on the provider for critical functions, and the substitutability of the ICT third-party provider.
The primary objectives of this framework are twofold: to promote consistency and efficiency in supervisory approaches to ICT third-party risk and to bolster the digital operational resilience of financial entities that depend on these critical providers. Ultimately, the goal is to enhance the collective understanding of risks posed by CTPPs and to mitigate them effectively, thereby preserving the stability of the Union's financial system and the integrity of its internal market.
Key takeaways
Operationally, the DORA oversight framework involves several key activities:
- Designation: Annually, the ESAs will publish a list of designated CTPPs, determined by data from financial entities' ICT third-party arrangement registers and other available information. Designated CTPPs will be subject to oversight fees.
- Risk assessment and planning: Overseers will conduct yearly risk assessments of CTPPs to determine their specific risk profiles. This informs the development of individual annual oversight plans for each CTPP and a multi-annual strategic plan for all CTPPs.
- Examinations: These involve continuous interaction with CTPPs to assess the risks they pose to European financial entities. Activities include analysing documentation, conducting general investigations, performing inspections, and ongoing regular monitoring. Inspections are more intrusive, allowing overseers to request records and data, and enter business premises to gather information on ICT systems. Non-compliance can lead to severe consequences, including potential termination of contractual relationships between financial entities and the non-compliant CTPP.
- Recommendations and follow-ups: Following examinations, overseers can issue non-binding recommendations to address identified deficiencies. These recommendations are followed up as part of ongoing monitoring, with CTPPs potentially required to submit remediation plans and progress reports.
The governance structure underpinning DORA oversight is a collaborative effort. Each CTPP is assigned a Lead Overseer (LO) from one of the ESAs, based on which ESA's financial entities collectively have the largest share of total assets relying on that CTPP's services. The LO is the primary contact point for the CTPP and is responsible for assessing the CTPP's ICT risk management framework.
The ESAs have also established a Joint Oversight Venture (JOV), led by a Joint Oversight Director, to maximise synergies and ensure consistency in oversight tasks across sectors. Supporting the LOs are Joint Examination Teams (JETs), composed of staff from the ESAs, relevant national competent authorities, and, on a voluntary basis, national competent authorities under NIS 2 supervising the CTPP.
Higher-level coordination is managed by the Joint Oversight Network (JON), which monitors and steers oversight activities, and the Oversight Forum (OF), a dedicated standing committee that prepares decisions and promotes a consistent approach to ICT risk monitoring at the EU level.
Next steps
This guide serves as an important resource for CTPPs, financial entities, competent authorities, and the wider public to understand the DORA oversight framework. The ESAs note that the guide may be revised as oversight experience develops. It is crucial for all stakeholders to recognise that this guide does not replace the legal requirements of DORA and its associated acts, which should be consulted for full details.