On the 18th of February 2025, the European Supervisory Authorities (the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Markets Authority – the ESAs) published a roadmap for the implementation of the pan-European oversight framework of critical ICT third-party service providers (CTPPs) under Regulation 2022/2554/EU (DORA), with the aim to designate the CTPPs and start the oversight engagement in 2025. By the 30th of April 2025, competent authorities need to submit to the ESAs the Registers of Information on ICT third-party arrangements they received from financial entities. The ESAs will then perform the criticality assessments and notify ICT third-party service providers of their classification as critical by July 2025. During the six weeks following this notification, such service providers can object to the assessment with a reasoned statement and supporting information. After the six-week period, the ESAs will designate CTPPs and start oversight engagement with them.
To provide clarity to the market on preparatory activities, the designation process and their oversight approach, the ESAs plan to hold an online workshop with ICT third-party providers in Q2 2025.
