DORA guidelines on the supervision of critical third-party providers (CTPP)

The European supervisory authorities EBA, ESMA and EIOPA have published a DORA guideline on the supervision of critical third-party providers.
Categories:

The Digital Operational Resilience Act (DORA) has been in force since January. In July, the European supervisory authorities EBA, ESMA and EIOPA presented guidelines for the supervision of critical third-party ICT service providers. The focus is particularly on critical third-party providers of information and communication technologies (Critical Third-Party Providers, CTPPs).

Supervisory objective and relevance

The DORA guidelines specify the supervisory powers of the European supervisory authorities over CTPPs. It is embedded in the Union's overall regulatory approach to strengthening the digital resilience of the financial sector. The central aim is to structurally reduce the vulnerability of financial markets to ICT (information and communication technology) failures and cyber risks. The guidelines pursue several interwoven objectives:

The aim is to identify and minimize systemic risks arising from the increasing dependence of many financial companies on a small number of powerful ICT service providers at an early stage. The so-called concentration risk problem, i.e. the critical dependence of many market participants on individual providers, harbors considerable dangers for the stability of the entire financial system. The regulatory recording and assessment of these risks as part of DORA is intended to make such concentration risks more transparent and easier to manage.

It is also intended to contribute to the cross-sector stability of the European financial market. The uniform definition and assessment criteria for critical third-party providers not only create regulatory comparability, but also a platform for coordinated measures. This supports the consistency of regulatory measures across all sub-sectors.

Finally, strengthening the operational resilience of the financial entities themselves is a key concern. The requirements of DORA are complementary to existing internal ICT risk management systems of FEs (financial entities). The direct supervision of CTPPs does not mean that financial entities can absolve themselves of their responsibility. Rather, the external findings should put them in a better position to make their own decisions in a more risk-oriented manner.

In practice, this means that the supervision of CTPPs complements the existing supervision of financial companies and does not replace it. In future, compliance officers will have to keep a close eye on both levels, their own organization and its dependencies on critical third parties.

Governance structure of DORA supervision

The governance structure of DORA supervision is based on a multi-level and closely networked organizational architecture that is intended to ensure both cross-sector coordination and operational efficiency. Three central players are at the center of this structure:

So-called Lead Overseer (LO) take the lead role in the supervision of critical third party providers. Each of the three European Supervisory Authorities (EBA, ESMA, EIOPA) acts as LO for those CTPPs that are primarily active in their respective financial sector. The determination is made on the basis of aggregated balance sheet totals of the financial companies concerned that use the services of this third-party provider. The LO is responsible for the planning, implementation and follow-up of supervisory measures vis-à-vis the respective provider.

The supervisory activities are carried out by Joint Examination Teams (JETs) operationally supported. These teams are made up of specialists from the ESAs and the relevant national supervisory authorities. They contribute both technological and regulatory expertise. The JETs carry out investigations, assess risks and formulate recommendations. Depending on the nature of the risk, their work can be carried out both regularly and on an ad hoc basis.

Strategic coordination is ensured by the Joint Oversight Network (JON) and the Oversight Forum (OF). The JON serves to coordinate between the participating ESAs (European Supervisory Authorities) and ensures that information on risks and developments is shared across sectors. The Oversight Forum, in turn, acts as an advisory body in which high-ranking representatives of European and national supervisory authorities come together to discuss overarching developments and ensure the harmonization of supervisory practices.

This governance structure ensures coordinated, transparent and risk-oriented monitoring of CTPPs and promotes effective exchange between the European and national levels. For those responsible for compliance, this means that regulatory requirements do not only result from one source, but that the interaction of several players must be taken into account.

DORA supervisory instruments at a glance

1. designation

A third-party ICT provider is classified as critical following a two-stage assessment process based on quantitative and qualitative criteria (including systemic relevance, substitutability, customer structure). The classification is made annually on the basis of data registered with the supervisory authorities. Providers that are not listed can apply for a voluntary reassessment (opt-in).

2. risk assessment & oversight planning

A risk profile is drawn up annually as part of the Oversight Risk Assessment Process (ORAP). An individual oversight plan and a sectoral multi-year plan are derived from this.

3. examinations

These include:

  • Ongoing monitoringRegular interactions, periodic reports, data transmissions and meetings.
  • General InvestigationsThematic or risk-based special audits. There are horizontal (multi-provider) or follow-up audits, among others.
  • InspectionsIn-depth inspections, including on-site inspections with high resource requirements.

4. requests for information

Investigations can be initiated by informal (Simple RfI) or formal (Decision RfI) requests for information. Sanctions may be imposed if information is refused or incorrectly provided in response to a Decision RfI.

5. recommendations & follow-up

Non-binding recommendations are issued on the basis of the reviews. CTPPs must accept these within 60 days or submit a reasoned rejection. In the event of an unjustified rejection, a public announcement of non-compliance may be made. The national supervisory authorities can also take operational measures against FEs, such as ordering the termination of cooperation with the respective CTPP.

International dimension of supervision

Under certain conditions, supervision can also extend to third countries if there are branches of CTPPs there that provide services for EU financial institutions. One of the prerequisites is the approval of the respective authority in the Third country and the Consent of the provider concerned. The European supervisory authorities are working towards cooperation agreements (Memorandum of Understanding, MoU) with third countries.

Reading tip: DORA takes effect from January 2025 - these companies are affected

Compliance relevance for practice

The practical relevance of the DORA guidelines unfolds on two central levels: firstly, for the financial companies that use critical ICT service providers. And secondly, for the third-party providers themselves, who will be subject to European supervision in future.

It is crucial for financial institutions to systematically assess the CTPPs they engage from a digital resilience perspective. The information obtained and passed on as part of DORA supervision of CTPPs is a valuable point of reference. Compliance officers must check whether existing outsourcing contracts still meet future regulatory expectations and whether the contractually agreed control and escalation mechanisms are suitable for adequately addressing recommendations or sanctions against CTPPs. They should also proactively prepare for potential impacts that may result from DORA recommendations to CTPPs, for example if the continued use of certain services is called into question.

Third-party providers, in turn, must align their internal governance and risk management structures with the new requirements. The organizational preparation for audits by Joint Examination Teams (JETs) and the establishment of an effective oversight interface are key tasks. This includes not only technical and documentary requirements, but also the establishment of a legally and operationally robust presence within the EU. It is particularly important to provide a functional interface to the supervisory authorities that is able to respond quickly and bindingly to requests for information, recommendations and investigations.

Conclusion: DORA guidelines on CTPP supervision

The European financial architecture is increasingly characterized by digital infrastructures whose stability, security and Availability have a direct impact on the functioning of the market. DORA addresses precisely this interface: through the targeted supervision of particularly critical third-party providers and the promotion of cross-sector resilience. At the same time, existing national supervisory practices will be consolidated and transferred into a coherent EU-wide system.

The DORA guidelines on CTPP supervision clarify how the theoretical provisions of the regulation are translated into specific audit mechanisms, risk assessments, measures and escalation steps. It thus creates Transparencyplanning and comparability for all parties involved.

Ultimately, DORA is not just about regulatory issues. Compliancebut to ensure stable and trustworthy digital services for the entire financial sector. The consistent implementation of the new supervisory mechanisms will therefore make a decisive contribution to digital sovereignty and security within the EU.

Source: DORA Oversight Guide

Contact us
Tags:
, , ,
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts