On 15 July 2025, the EBA, EIOPA, and ESMA (the “European Supervisory Authorities” or the ESAs) clarified the designation mechanism for the critical third-party service providers and the details of the Oversight Framework. The EU Digital Operational Resilience Act ("DORA") permits the ESAs to designate certain ICT service providers as critical, if they meet the following criteria cumulatively: (a) have systemic impact on the stability, continuity or quality of the provision of financial services if the ICT third party provider ("ICT TPP") faces a large-scale operational failure to provide its services, (b) the systemic character or importance of the financial entities that rely on the relevant ICT TPP, (c) the reliance of the financial entities on the services provided by the same ICT TPP in relation to critical or important functions of the financial entities, and (d) the degree of substitutability of the ICT TPP (Art. 31). Such critical ICT third-party providers ("CTTPs") will be subject to an Oversight Framework that imposes onerous obligations.  

The concern here is that there is a limited number of ICT service providers widely used by financial entities and the concentration risk must be addressed by maintaining a dialogue with these ICT service providers to ensure that cyber resilience risks are adequately addressed. The ESAs will have the power to request information, carry out ongoing monitoring, conduct investigations and inspections, and recommend cybersecurity measures directly to the CCTPs. The ESAs can also make recommendations to the CTTP for the terms and conditions under which the ICT services are provided to financial entities and any subcontracting arrangements, and oppose those that may impact the stability of the financial entity or the financial system. The ESAs can compel financial entities to take additional measures in relation to the CCTPs, including suspension or termination of the use or deployment of the services by the CCTP, where necessary. The CTTPs may be subject to period penalty payments for non-compliance with the Oversight Framework and public disclosures of such penalty payments (Art. 35.6). 

ICT service providers that are designated as CCTPs will be notified by the ESAs and the date from which they will be subject to the Oversight Framework. Those CTTPs that are not based in the EU will be required to establish a presence in the EU within 12 months of the designation, and the financial entities may be unable to use the services of such CTTPs if they have not complied with this requirement. 

Digital infrastructure entities, such as cloud computing service providers that offer financial services cloud computing solutions are first in line to become designated as CTTPs. NIS2 already applies to them, so oversight of these entities under DORA will be complementary to NIS2 requirements.