ESAS unveil guide to DORA oversight for critical tech providers
Earlier this month the European Supervisory Authorities (EBA, EIOPA and ESMA) jointly published a guide to oversight under the Digital Operational Resilience Act (DORA), laying out how they will supervise critical third-party ICT providers (CTPPs). The guide explains how Joint Examination Teams (JETs) will coordinate pan-European supervision to manage systemic ICT risk across the financial sector.
The oversight framework includes five main activities: designation of critical providers, annual risk assessments, in-depth examinations, issuance of recommendations, and monitoring of follow-up actions. It also introduces clear expectations for collaboration, data sharing, and structured engagement between CTPPs and regulators.
Regulatory debate around DORA’s scope led to a simplified final version, reducing some compliance burden while maintaining strong supervisory expectations. For vendors, resilience remains non-negotiable, and that extends beyond direct clients to the full subcontracted chain.
This guide marks a key step in operationalising DORA’s cross-border supervisory ambitions, particularly as the financial sector’s dependency on a limited set of tech providers deepens. DORA helps translate that risk into a practical, multi-layered supervision model, outlined in this guide. The goal is improved digital resilience throughout the sector. Balancing compliance costs against the extent to which financial institutions’ suppliers can focus on their cyber risks remains vital.
DORA highlights the critical role of digital infrastructure in financial services.
Access the guide here.
