On 30 May 2024, the European Commission Delegated Regulation 2024/1502/EU supplementing DORA was published in the EU Official Journal. The Delegated Regulation specifies the criteria for the designation of ICT third-party service providers (ICT TPSPs) as critical for financial entities (FEs). ESAs must assess whether ICT TPSPs fulfil all of the ‘step 1’ sub-criteria. For those ICT TPSPs fulfilling the ‘step 1’ sub-criteria, ESAs must assess whether such providers fulfil also the ‘step 2’ sub-criteria.

The Delegated Act was adopted on 22 February 2024. While it enters into force on 19 June 2024, the Lead Overseer must apply the step 2 sub-criterion related to the dependence of the critical ICT TPSP on the same subcontractors providing ICT services supporting critical functions of FEs as of 16 January 2025.