On 7 October 2024, the Joint Committee (JC) of the ESAs published its Work Programme for 2025. The JC will set up and operationalise the EU-wide Oversight Framework for ICT Critical Third-Party Providers (CTPPs). The JC will also, via the European Forum for Innovation Facilitators (EFIF), further promote coordination and cooperation among national innovation facilitators in line with the European Commission’s Digital Finance Strategy. The JC will coordinate the implementation of Regulation 2022/2554/EU (DORA), delivering all level-1 DORA policy mandates by 17 January 2025. Its substructures dedicated to DORA will, among others, adapt the governance structure for DORA non-oversight-related tasks. By mid-January 2025, the JC will deliver a feasibility study on a potential centralisation of major ICT-related incidents. A report needs to be delivered by July 2025 for the preparation of the EU systemic cyber incident coordination framework (EU-SCICF).
The ESAs will launch their new oversight activities in line with DORA, notably on designated CTPPs, and will finalise the remaining policy mandates, oversight procedures and methodologies, including the establishment of the Oversight Forum and the Joint Oversight Network. The ESAs will designate the first group of CTPPs after assessing the criticality of ICT TPPs and set up the Joint Examination Teams. They will also implement the EU-SCICF and develop the necessary IT infrastructure to support the direct DORA oversight tasks and incident reporting. Some policy mandates like incident reporting and threat-led penetration testing might entail new joint governance processes to be developed in 2025.