DORA: ESAs set out roadmap towards the designation of critical ICT third-party service providers and Commission adopts RTS on threat-led penetration testing

The European Supervisory Authorities (ESAs) have provided a roadmap to move forward with designating critical ICT third-party service providers (CTPPs) and initiating oversight engagement by the end of 2025.

As a reminder, the EU’s Digital Operational Resilience Act (DORA) requires financial entities to collate information about the ICT services they receive. DORA also provides for a process whereby, following an assessment process, certain ICT third-party service providers that are deemed critical for EU financial entities will be designated as such.

In order to designate ICT third-party service providers as CTPPs in 2025, the ESAs will perform the following steps throughout the year:

• By 30 April 2025: The ESAs will receive the registers of information on ICT third-party arrangements (Registers) that financial entities are required to submit to their national regulator. In practice, this will mean that national regulators will ask firms to submit their Registers to them before this date. We have already seen national regulators contacting EU financial entities to set out their expectations on timing for providing Registers.
   
• By end of July 2025: The ESAs will then use the data in the Registers to perform the criticality assessments mandated by DORA and notify ICT third-party service providers that are to be classified as critical. This notification will trigger a six-week period during which ICT third-party service providers may object to the assessment with a reasoned statement and relevant supporting information.
   
• By end of 2025: The ESAs will have designated CTPPs, published the list of CTPPs and started the oversight engagement with them.

ICT third-party service providers not designated as critical may voluntarily request to be designated as critical once the list of CTPPs is published. The ESAs have noted that details on how to make such a request will be provided soon. 

In order to provide more clarity on the oversight framework and designation process, the ESAs plan to organise an online workshop for ICT third-party providers in the second quarter of 2025. Further details on the exact date will be published by the ESAs in due course.

The roadmap published on 18 February 2025 is available here.

European Commission adopts RTS on threat-led penetration testing 

In other news, the European Commission has adopted the RTS on threat-led penetration testing (TLPT). 

The RTS sets out information on the following:

• the criteria used for identifying financial entities required to perform TLPT;
   
• the requirements regarding the scope and management of TLPT (including risk related to carrying out TLPT), selection of TLPT providers, the testing process and remedial action post-TLPT;
   
• the requirements and standards governing the use of internal testers; and
   
• the rules on supervision and other co-operation needed for the implementation of TLPT and for mutual recognition of testing.

The content of the RTS as published is substantially the same as the previous draft RTS. 

The RTS was adopted on 13 February 2025 and will enter into force and apply twenty days after its publication in the Official Journal of the EU.

Relatedly, the European Central Bank (ECB) announced on 11 February 2025 that it has updated its European framework for threat intelligence-based ethical red teaming (TIBER-EU framework), to align with the DORA RTS on TLPT. The TIBER-EU framework provides guidance on how authorities, entities and threat intelligence providers and red-team testers should work together to test and improve the cyber resilience of entities by carrying out controlled cyberattacks.