On Feb. 18, EBA, EIOPA, ESMA issued roadmap for CTPPs designation.
The European Supervisory Authorities (ESAs) i.e. EBA, EIOPA, ESMA issued roadmap towards designation of critical ICT third-party service providers (CTPPs) under DORA.
Are advancing in the implementation of the pan-European oversight framework of CTPPs, with objective to designate them and to start oversight engagement in 2025.
Follows EBA, EIOPA, ESMA Nov. 2024 set timeline to collect information, see #233758.
CTPP Designation and Engagement
Competent authorities are required to submit to ESAs by Apr. 30, 2025, the Registers of Information of ICT third-party arrangements received from financial entities.
The ESAs will perform the criticality assessments mandated by DORA and notify ICT third-party service providers of their classification as critical by Jul. 2025.
Notification will start a 6-week period during which ICT third-party service providers may object to the assessment with a reasoned statement and supporting information.
After the 6-week period, ESAs will designate CTPPs and start oversight engagement.
ICT third-party service providers that are not designated as critical may voluntarily request to be designated as critical once the list of CTPPs is published, the ESAs will publish information on how to request this in due course.
Oversight Framework
ESAs have been preparing the governance, procedures, and methodologies needed to conduct oversight activities, and have set up a joint DORA oversight function.
This will allow ESAs to perform day-to-day oversight duties with integrated approach.
Next Steps
To provide clarity to market on preparatory activities, designation process, oversight approach, will organize an online workshop with ICT third-party providers in Q2 2025.
Further details on the exact date will be published in due course.
