Designation of critical ICT third-party providers under DORA

The European Supervisory Authorities (ESAs) have now published their list of designated critical ICT third-party providers (CTPP) but what does this mean for the regulated firms that contract with these third parties? Will it relieve some of their regulatory burden and, in particular, will it reduce the focus on the inclusion of mandated contractual terms?

What do the CTPPs need to do?

The provisions on CTPPs are set out in Articles 31 to 44 of the Digital Operational Resilience Act (DORA).¹ These include the criteria to be taken into account in considering which entities to designate and the process for doing this, including the consultation process and the arrangements for the appointment of a Lead Overseer which will supervise CTPPs.

The Lead Overseer will be one of the three ESAs (i.e. the European Banking Authority, European Securities and Markets Authority, or the European Insurance and Occupational Pension Authority) and has a series of powers and responsibilities with respect to the CTPPs including:

Assessment of ICT risk management

The Lead Overseer shall assess whether the CTPP “has in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risk which it may pose to financial entities”.² As part of this assessment, the Lead Overseer will review:

• ICT requirements to ensure the security, availability, continuity, scalability and quality of the services, including the ability to maintain at all times high standards of availability, authenticity, integrity and confidentiality of data;
• Physical security measures;
• Risk management processes;
• Governance arrangements;
• Identification, monitoring and reporting of material ICT related incidents to regulated firms and the management and resolution of these;
• Mechanisms for data portability, application portability and interoperability – with the aim of facilitating exits from arrangements by regulated firms;
• Testing of ICT systems, infrastructure and controls;
• ICT audits; and
• Use of applicable national and international standards (e.g. ISO standards).

This assessment will then feed into an oversight plan setting out annual oversight objectives and actions for the CTPP.

Powers of the Lead Overseer

The Lead Overseer has a series of powers in respect of the CTPP, including:

• requesting information;
• conducting general investigations and inspections – accompanied by rights to enter premises; seal premises, books or records; take copies of documents; summon and interview representatives of the CTPP for explanations; and request copies of telephone and data traffic;
• issuing of recommendations, which might specifically relate to:
  • the use of specific ICT security and quality requirements or processes, including in relation to the rollout of software patches, updates, encryption and other security measures;
  • the use of specific contract terms deemed relevant for preventing the generation of single points of failure, or for minimising possible systemic impact across the financial services sector;
  • planned subcontracting;
  • an order to refrain from further subcontracting where, cumulatively, (i) the proposed subcontractor is not established in the EU, (ii) the subcontracting concerns critical or important functions of the firm; and (iii) the use of subcontracting is deemed to pose a clear and serious risk to the financial stability of the EU or to financial entities, including their ability to comply with supervisory requirements; and
• requesting reports specifying actions taken to remediate any of the recommendations issued by the Lead Overseer.

Failure to comply with these powers can result in the CTPP being fined “periodic penalty payments”, accruing on a daily basis for a maximum period of 6 months, and calculated at the rate of 1% of the CTPP's average daily worldwide turnover in the preceding business year.

CTPPs are expected to notify the Lead Overseer of their intention to comply with its recommendations or otherwise provide an explanation for not following those recommendations. If a CTPP fails to notify the Lead Overseer, or to provide a sufficient explanation, the Lead Overseer may (except in certain limited circumstances) publicly disclose this. The Lead Overseer may also issue non-binding and non-public opinions to competent authorities in order to promote consistent and convergent supervisory follow-up measures, as appropriate.

The Lead Overseer will also inform regulated firms of the risks identified in the recommendations addressed to CTPPs. Regulated firms must take these into account when managing ICT third-party risk. If a competent authority does not deem these risks to have been sufficiently addressed by the regulated firm, it may, as a last resort, require the firm to temporarily suspend (either in whole or in part) the use or deployment of a service provided by the CTPP until the risks have been addressed and this may include whole or partial termination by the firm of the relevant contractual arrangements with the CTPP.

What does this mean for regulated firms?

The scope of the responsibilities of the Lead Overseer have a number of parallels with the responsibilities of the regulated firm, especially in relation to:

• controls over subcontracting;
• audit rights; and
• requirements to include specific contract provisions.

These areas tend to be the most difficult to negotiate with all vendors in relation to ICT contracts given their scope and perceived level of intrusion, and the application to what are, in many cases, shared service delivery models.

It might be the case that in the future, depending on the experiences the Lead Overseers have in relation to these areas, that there will be some recognition of the difficulty of achieving these positions with the ICT providers or the establishment of a “regulatory standard” that obviates the need for individual approaches. However, for the time being, that is not the case. The Lead Overseer's powers are not connected to the responsibility of the regulated firm, and the regulated firms cannot rely on the Lead Overseer's supervisory responsibilities, and fulfilment of them to address its own regulatory responsibilities, including to achieve the relevant terms within the agreement.

This cuts two ways – the regulated firm will still need to address the requirements imposed on it under DORA, and the CTPP cannot resist these requirements on the basis it is subject to oversight such that all the relevant matters are now the Lead Overseer's responsibility. 

For those ICT providers that have not been designated (at least as of yet), they will of course continue to be asked to comply with the terms imposed on the regulated firm – not being designated does not reduce their exposure to these requests.

The UK regime for critical third parties

The parallel UK regime for critical third parties (CTPs) has not issued its designations, yet. This was discussed at the recent Treasury Committee meeting on 4 November, attended by Lucy Rigby, the Economic Secretary to the Treasury. Key points from this meeting are set out below.

• There was no confirmation that any companies were being assessed for designation or that any recommendations had been received by the Treasury from the FCA or PRA.
• On the question of timescales, and whether companies would have been designated by the same time next year (i.e. 2026), the response was tentative – “the short answer is yes, I suspect there will be”.³
• The Committee discussed whether the Treasury needed to receive recommendations from the FCA / PRA or could instead designate entities itself and if so, was this in the national interest. The position set out in the Treasury's Policy Paper on designating CTPs is that the Treasury “generally expects to make designations of CTPs on the basis of recommendations from financial regulators… it is also possible for HM Treasury to designate a CTP without a recommendation from financial regulators”.⁴
• The timescales from commencing dialogue with a potential designee and confirmation of the designation is expected to take about six months.

So at present, the UK regime is operating to a different timetable than the European regulators. We await further update and guidance on this.

In summary

For regulated firms, the designation does not have any material immediate effect on their responsibilities under DORA, and it is important that they continue to take the required steps to achieve and maintain ongoing compliance with contractual requirements and risk management frameworks more widely.

For more information, please contact the author or your usual DLA Piper contact.

¹Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011
²Article 33(2) of DORA
³House of Commons, Treasury Committee, Oral Evidence: AI in financial services, HC 684, Tuesday 4 November 2025
⁴HM Treasury, Critical Third Parties Approach to Designation (March 2024)