In a significant stride toward strengthening digital stability in Europe’s financial sector, the European Supervisory Authorities (EBA, EIOPA, and ESMA) have, today, published the list of critical ICT third‑party service providers under the Digital Operational Resilience Act (DORA). This move gives the ESAs direct oversight of some of the most pivotal vendors supporting financial institutions with a presence in the EU with digital and data services provided via information communications and technology systems.
Why this matters:
Financial entities across the EU rely heavily on digital platforms and infrastructure, from cloud computing, data centres, data analytics, cybersecurity and communications. With systemic cyber risk on the rise, DORA’s oversight framework aims to ensure that designated providers maintain robust risk management. Those designated can now face direct audits/governance reviews, incident-reporting mandates, and potentially onsite inspections. The focus is on ensuring that steps are being taken to prevent service disruptions that could ripple through the financial sector.
Next steps:
- Financial firms, caught by DORA, should review the list and align sourcing agreements and third-party risk frameworks accordingly.
- The designated critical ICT providers should audit internal policies and procedures against DORA’s requirements to ensure readiness for direct ESA oversight.
To access the list of designated critical ICT providers, see here:
The European Supervisory Authorities designate critical ICT third-party providers under the Digital Operational Resilience Act | European Banking Authority
You can view our latest DORA content at Application of the Digital Operational Resilience Act (DORA): Key considerations | DLA Piper
[View source.]
