Latest Posts:
Search for:

Analyzing critical legal trends and developments across data, cyber, AI and digital regulations from around the world and beyond borders

In Cybersecurity

European Union: DORA update – Upcoming designations of critical third-party providers

by , and 4 Mins Read

The European Supervisory Authorities (ESAs) are preparing to designate critical third-party service providers (CTPPs) under the Digital Operational Resilience Act (DORA). DORA, which came into force on 17 January 2025, enables the ESAs to designate key ICT providers to the EU financial services sector as critical, subjecting them to direct supervisory and oversight obligations. The ESAs have recently published a roadmap indicating their expected timeline for designations – with the final designations expected to be in place by the end of this year. For more on DORA generally, see our previous alerts herehere and here.

The designation process

By 30 April 2025, the ESAs will collect registers of information (ROI) from financial institutions. DORA requires financial institutions to maintain ROIs in respect of the ICT services they receive and submit these to their respective competent authorities. The ESAs will collect these from the competent authorities to assess criticality, and begin notifying service providers of their classification by July 2025. DORA broadly requires the ESAs to consider the following factors:

  • The impact on the stability, continuity, or quality of the provision of financial services in the event of operational failures or outages.
  • The importance of the financial institutions using the services of the ICT provider, including whether any clients are global systemically important institutions or other systemically important institutions.
  • The reliance on the services provided for a financial entity’s critical or important functions.
  • The ease of substituting that provider with another provider, including the availability of alternatives, the handover process to such alternatives, and the ease of data migration.

Once an ICT provider receives a notification, a six-week hearing period will commence, which will allow ICT providers to make recommendations. During this window, designated ICT providers will be able to raise objections with a reasoned statement supplemented by relevant supporting information. Following the hearing period, final designations will be made, and the oversight regime will commence.

Designated CTPPs will be subject to several obligations, including risk management requirements, operational resilience requirements (including testing), location requirements (such as establishing an EU subsidiary within 12 months of designation), and compliance with information requests from the lead overseer. Additionally, CTPPs will be required to pay oversight fees, and DORA provides for enforcement powers in cases of non-compliance.

Impact on ICT firms

The new regulatory oversight regime marks a major change for ICT firms, who may be less familiar with such scrutiny compared to the financial entities that they provide services to. Designation will bring compliance and risk management duties, which is likely to have significant impacts on internal corporate governance and reporting lines. ICT providers should assess their operations against the ESAs’ criteria and, if concerned about designation, address whether they are in a position to comply with the requirements of the oversight regime and redress any gaps promptly. ICT firms should also consider whether they would be able to raise any objections to designation and begin gathering supporting evidence to be in the strongest position possible for the six-week hearing window.

Impact on financial institutions

DORA imposes certain compliance obligations on financial institutions regarding the CTPPs they receive services from. For instance, if a CTPP does not establish an EU subsidiary within the 12-month window, the financial institution will be prohibited from using that CTPP’s services.

However, it remains unclear whether designated CTPPs will renegotiate or amend ICT service contracts to address their obligations under the CTPP regime, although this possibility exists. Financial entities working with ICT providers that might be designated as a CTPP should review their compliance programs and contractual arrangements to ensure they can comply with DORA’s requirements with minimal impact on business and operational continuity.

Categories:
Author

Caitlin is a partner in Baker McKenzie’s Financial Services Regulatory practice group in the London office. Caitlin's practice focuses on advising a range of global financial institutions on complex and high value regulatory matters. She advises banks, major corporates, payment institutions and asset managers on navigating UK and EU financial services regulation. She has particular experience in advising clients on regulatory implementation projects, day-to-day compliance issues, and regulatory issues arising in the context of large-scale transactions. She also expertise in the areas of banking and wholesale financial markets regulation, in particular in the FX and fixed income space, alongside experience advising market infrastructure providers, including major international exchanges, trading platforms, clearing systems and payment services providers, on a variety of compliance issues.

Author

Sue is a Partner in our Technology practice in London. Sue specialises in major technology deals including cloud, outsourcing, digital transformation and development and licensing. She also advises on a range of legal and regulatory issues relating to the development and roll-out of new technologies including AI, blockchain/DLT, metaverse and crypto-assets.

Author

Ben Thatcher is an associate in Baker McKenzie's London office.

Related Posts