The European Supervisory Authorities (ESAs) have issued a comprehensive guide detailing how they will oversee critical third-party providers (CTPPs) under the Digital Operational Resilience Act (DORA). Released on July 15, 2025, the guidance lays out the framework for identifying, monitoring, and inspecting technology providers that offer essential ICT services to financial institutions across the European Union.
The document clarifies the ESAs’ approach to managing risks from third-party ICT dependencies, particularly as financial entities increasingly rely on external providers for critical operations. This initiative supports DORA’s broader goal of enhancing the digital resilience of the EU’s financial sector.
CTPPs fall under direct ESA oversight and must comply with a set of risk management expectations
Under the DORA oversight model, the ESAs — EBA, ESMA, and EIOPA — are responsible for designating which ICT providers are considered critical. The criteria include systemic impact, substitutability, concentration risk, and the scale of services provided to regulated financial entities. Once designated, these CTPPs fall under direct ESA oversight and must comply with a set of risk management expectations.
Oversight activities include annual risk assessments, routine monitoring, general investigations, on-site inspections, and the issuance of non-binding recommendations. The ESAs can also request information either informally or through legally binding decisions. Providers that fail to comply risk penalties, reputational disclosure, and, in extreme cases, recommendations to financial institutions to sever ties with the non-compliant party.
To conduct these activities, the ESAs will use Joint Examination Teams (JETs) composed of staff from the ESAs and national competent authorities. These teams will operate under a unified structure known as the Joint Oversight Venture (JOV), designed to ensure consistency and efficiency across sectors.
The guide introduces detailed processes and roles, including the designation of a Lead Overseer (LO) for each CTPP. The LO will be the primary contact point and responsible authority for conducting oversight activities. It will also have the power to issue recommendations, impose periodic penalties, and recover oversight costs through annual fees charged to the CTPPs.
Key governance bodies include the Joint Oversight Network (JON), which coordinates day-to-day operations, and the Oversight Forum (OF), which provides strategic direction and adopts common benchmarks. The Oversight Forum also plays a central role in assessing systemic risks and proposing coordinated mitigation strategies across the financial sector.
According to the ESAs, the guide serves as a user-friendly reference to support understanding and compliance. It is addressed to CTPPs, financial entities, regulators, and other stakeholders. While it does not hold legal weight, it offers practical insight into how the oversight regime will function and how responsibilities will be shared between EU and national authorities.
The publication marks a significant milestone in the implementation of DORA, which aims to harmonize ICT risk management across the EU financial sector. With enforcement of DORA provisions now underway, this guide provides clarity on how supervision will be applied to large-scale providers such as cloud platforms, data centers, and cybersecurity firms operating in Europe.
The ESAs noted that the guide may be updated in the future based on experience and evolving practices. In the meantime, ICT providers subject to oversight are expected to engage proactively with their designated ESA contact points and ensure internal structures are in place to respond to oversight activities.
