
On the 4th of December 2024, the three European Supervisory Authorities (the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Markets Authority – the ESAs) issued a joint statement on the application of Regulation 2022/2554/EU (DORA). As DORA and ESAs’ technical standards and guidelines become applicable on the 17th of January 2025, financial entities must adopt a structured approach to timely meet their obligations, address any gaps between their internal setups and the DORA requirements, have their registers of ICT third-party providers’ contractual arrangements available for competent authorities, and be equipped to classify and report their major ICT-related incidents from the date of application. Additionally, the ESAs invite ICT third-party service providers to assess their operational set-up against DORA requirements. The first designation of CTPPs is expected to take place in H2 2025.