ESAs release guide on DORA oversight of critical third-party providers

Objectives of DORA oversight framework

While Competent Authorities (CAs) continue to supervise the digital and operational risk of their in-scope financial entities (FEs), the ESAs are responsible for overseeing third-party ICT service providers whose failure or disruption could significantly impact the financial sector’s ability to function, or whose services are essential to the financial system as a whole (critical third-party ICT service providers, referred to as CTPPs). The oversight framework for CTPPs is designed to complement the supervision of FEs’ ICT risk by CAs, allowing close collaboration between the ESAs and CAs.

Principles of DORA oversight framework

Key aspects include:

Oversight bodies and forums

Oversight is led by a designated Lead Overseer (LO) from one of the ESAs, supported by Joint Examination Teams. Several bodies, such as the Oversight Forum and the Joint Oversight Network, ensure coordination and consistency across the EU jurisdictions.

Designation of critical providers

Only ICT providers designated as “critical” by the ESAs pursuant to Article 31 of DORA are subject to DORA oversight. Every year, the ESAs publish the list of CTPPs, which are designated based on the data included in the registers of information of the FEs’ contractual arrangements with ICT third-party service providers (ICT TPPs) and other available data. Therefore, CTPPs are identified annually using both quantitative and qualitative criteria relating to the following four domains:

• the systemic impact on the stability, continuity or quality of the provision of financial services in the event that the relevant ICT TPP were to face a large-scale operational failure to provide its services;
• the systemic character or importance of the FEs that rely on the relevant ICT TPP;
• the reliance of FEs on the services provided by the relevant ICT TPP in relation to critical or important functions of FEs that ultimately involve the same ICT TPP; and
• the degree of substitutability of the ICT TPP.

From a process perspective, the ESAs’ evaluation comprises a two-step assessment of the registers of information reported by the FEs:

• application of the quantitative criteria to the consolidated registers of information received from CAs;
• application of five additional sub-criteria to the dataset resulting from step 1. The ESAs may also make use of any other additional available information.

Following the assessment of the criteria, the LO notifies the ICT TPP about the results of the criticality assessment, and the designation is followed by publication of the list of CTPPs.

Once designated as critical, CTPPs must pay annual oversight fees and maintain continuous engagement with the ESAs.

DORA oversight activities

Oversight consists of four main activities:

• Designation: every year the ESAs publish the list of the CTPPs designated through the data-driven risk assessments (see above). TPPs not included in the list of CTPPs may voluntarily apply to be re-assessed for designation as critical (opt-in process).
• Risk assessment & planning: oversight is risk-based and tailored. Every year, overseers conduct a risk assessment of the CTPP. The risk assessment aims to estimate the specific CTPP risk profile. Based on the results of this assessment, the overseers develop individual (i.e. specific to each CTPP) annual oversight plans and a multi-annual strategic plan covering the entire population of CTPPs. Individual oversight plans are communicated to each CTPP. The CTPPs can present a reasoned statement evidencing the expected impact on their customers that are not FEs and, when appropriate, formulate solutions to mitigate risks.
• Examinations: in execution of the oversight plan and on an ongoing basis, the overseers interact with CTPPs for the purpose of assessing the risks that they may pose to European FEs. This may be through the analysis of documentation received from CTPPs, general investigations, inspections (on-site or virtual check-ups of CTPP systems and operations) and ongoing regular monitoring tasks, which may include meetings with CTPPs to maintain an updated understanding and knowledge of the CTPP. This also involves collection and assessment of periodic data and information such as organisational charts, ICT budget documentation, information security testing reports, risk management work programme and reports and audited financial statements.
  
  Inspections will be used to assess CTPPs through a more intrusive and in-depth approach than regular monitoring or general investigations. They are risk-based and may be conducted on-site or off-site, depending on the circumstances, and involve direct communication with the CTPP. Planned annually based on the outcomes of risk assessments, inspections will follow a structured process that includes preparation, fieldwork, reporting and follow-up.
• Recommendations & follow ups: the overseers may issue non-binding recommendations in light of any issues identified in the examination. Each recommendation is linked to a finding and includes a priority level and remediation timeline, ranging from short- to long-term actions. CTPPs have 30 days to assess potential impacts on non-FE clients and propose risk-mitigating solutions, which may include a remediation plan. If a CTPP decides not to follow a recommendation, it must provide a reasoned explanation. Should the overseers find this explanation insufficient, DORA mandates that they publicly disclose the CTPP’s identity. This could lead to CAs issuing warnings to FEs, depending on the risks associated with the recommendation. As a last resort, CAs may require an FE to suspend, or even terminate, the use or deployment of a service provided by a CTPP. After this, recommendations and follow-ups may feed into the risk assessment and planning stage for the following year.
  
  Overseers may also submit “Simple Requests” or “Decisions”, particularly in the context of the emergence of a new situation which could not have been covered by the oversight plan. These involve CTPPs being requested to provide some preliminary information to the overseer, for example, to enable them to decide whether some examinations are needed.

Subject to prior consent and cooperation from third-country authorities, oversight may also be extended to outside the EU.