The European Supervisory Authorities are contacting vendors to say they expect to designate them as being “critical” to the EU financial system. Once formally designated, the ESAs will directly oversee critical ICT service providers using powers under the Digital Operational Resilience Act. We are working with clients as they respond to the ESAs and consider the wider impact of DORA on their business.
Oversight framework for critical providers
DORA provides an oversight framework for critical ICT third-party service providers. The ESAs determine who will be designated as critical and have started to send preliminary designation letters to providers that meet the relevant criticality criteria.
Designation will be based on several factors. These include:
- The potential systematic impact on the provision of financial services in the event of a large-scale failure,
- The type and importance of financial entities that rely on the ICT service provider,
- How easily the ICT service provider can be replaced, and
- Whether any exemptions to designation are available.
The ESAs are primarily using data given to them by EU financial services firms. Earlier this year, financial entities subject to DORA submitted of registers of information to their national regulators who shared them with the ESAs. These registers collate information about firms’ contractual arrangements with their ICT service providers.
Responding to designation
DORA allows vendors to respond to their prospective designation. They have six weeks from the date of the preliminary designation letter to submit a reasoned statement to the ESAs, if they choose to do so. The statement is an opportunity for providers to make representations to the ESAs, including additional information and any arguments against their designation.
What designation means
Once designated, critical ICT service providers will be:
- Required to pay annual oversight fees,
- Subject to ongoing supervisory oversight which the ESAs expect to be a continuous dialogue between them and the ICT service providers,
- Subject to an annual assessment of whether the provider has “comprehensive, sound and effective” rules, procedures and mechanisms in place to manage the ICT risks it may pose to financial entities, and
- Required to establish a subsidiary in the EU, if they do not already have one.
As part of their supervision of critical ICT service providers, the ESAs may request information, conduct investigations and onsite inspections, issue recommendations, and impose penalties for non-compliance with requested actions up to 1% of the average daily worldwide turnover.
Next steps
DORA started to apply on 17 January 2025. In the coming weeks, the deadline for submitting reasoned statements will pass. The ESAs will notify critical ICT service providers of their designation and start applying the oversight regime within a month of that notification.
The ESAs will publish the first list of designations later in the autumn. The designation process will repeat every year based on updated registers of information.
We have advised dozens of financial entities on implementing DORA and continue to advise ICT service providers about how DORA affects them. Contact us if you would like to talk about the impact of DORA on your business.
UK CTP regime
The UK has its own regime for designating third-party providers as critical to the financial services sector. Linklaters clients can access a guide to the critical third-party regime on our knowledge portal.
/Passle/5c4b4157989b6f1634166cf2/MediaLibrary/Images/2025-07-03-11-42-05-966-68666c8d1103f79f336c9b4e.png)
/Passle/5c4b4157989b6f1634166cf2/MediaLibrary/Images/2025-08-28-14-15-21-435-68b06479c67a089ccfe8197b.png)
/Passle/5c4b4157989b6f1634166cf2/SearchServiceImages/2025-08-26-11-11-32-482-68ad96646d3a2532a86d7ac9.jpg)
/Passle/5c4b4157989b6f1634166cf2/SearchServiceImages/2025-08-26-11-04-56-359-68ad94d843613ebba9f0272e.jpg)
/Passle/5c4b4157989b6f1634166cf2/MediaLibrary/Images/2025-08-21-08-41-13-794-68a6dba9c21a05ca90168ca6.png)