DORA – Oversight framework of critical ICT third-party service providers
ICT third-party service providers
The Digital Operational Resilience Act (DORA) creates an oversight framework for the ongoing monitoring of the activities of information and communication technology service providers (ICT third-party service providers) that are critical ICT third-party service providers for financial undertakings. In particular this is in reaction to the increased outsourcing in the ICT area and the concentration of dependencies of ICT third-party service providers.
The Lead Overseers will collect oversight fees from critical ICT third-party service providers to cover the costs arising from the Oversight Framework.
Critical ICT third-party service providers
ICT third-party service providers are classified as critical by the European Supervisory Authorities (ESAs) based on prescribed criteria that in turn are based on the registers of information prepared by the financial undertakings. ICT third-party service providers themselves may also apply for a review of their designation as critical.
Lead Overseer
The Lead Overseer subsequently conducts the monitoring of the critical ICT third-party service providers that have been allocated to it. Dependent on the extent of usage of critical ICT third-party service providers by the respective supervised financial undertakings, measures in terms of their total assets, the European Banking Authority (EBA) or the European Insurance and Occupational Pensions Authority (EIOPA) or the European Securities and Markets Authority (ESMA) acts as the Lead Overseer (LO).
The Lead Overseer assesses the third-party service providers’ management of ICT risks. For conducting this duty it has the power to request information, to conduct general investigations and on-site Inspections, to make recommendations and to request information about the measures taken on the basis of such recommendations by the ICT third-party service providers.
Specific players in the Oversight Framework
Lead Overseers are assisted by Joint Examination Teams (JETs) in conducting their activities, that staff members of competent authorities also work in.
The coordination between the Lead Overseers takes place in the Joint Oversight Network.
An Oversight Forum has been established that is a Subcommittee of the Joint Committee of the three European Supervisory Authorities, of which representatives of competent authorities are also members. Its duties are to assist and advise on the activities of the Joint Committee of the European Supervisory Authorities, including the preparation of the designation and naming of critical ICT third-party service providers, preparing draft joint positions and draft common acts of the Joint Committee, the annual assessment of monitoring activities or the promotion of coordination measures to increase the digital operational resilience of financial undertakings.
Follow-up by competent authorities
Risks that have been determined in the recommendations of the Lead Overseers to critical ICT third-party service providers are communicated by the competent authorities to financial undertakings that use these critical ICT third-party service providers.
The supervised entities subsequently take this information into account in their managing of ICT third-party risk. In the event that this is not done adequately from the perspective of the competent authorities, as a last resort they may instruct the partial or complete suspension of services by the critical ICT third-party service providers.
Questions and Answers
Critical ICT third-party service providers are determined on the basis of the register of information and the criteria stipulated by the ESAs during the second half of 2025. ICT third-party service providers also have the possibility to apply to have their criticality reviewed.
Financial undertakings continue to remain fully responsible for the monitoring of ICT third-party service providers.
They are supported in doing so by the Oversight Framework established in the context of digital operational resilience, for example by being informed by the Austrian Financial Market Authority (FMA) about risks that have been determined in the recommendations by Lead Overseers to critical ICT third-party service providers. Subsequently financial undertakings take these risks into account in the management of ICT third-party risk.
The Oversight Framework relates exclusively to the management of ICT risks of critical ICT third-party service providers and differs from the supervision of financial undertakings. In this regard, see Article 33(2) and (3) DORA.
Operation of a critical ICT third-party service for example does not require a licence. Since a licence is not required, it can also not be withdrawn e.g. in the event of the recommendations handed down by the Lead Overseer failing to be implemented.
The Oversight Framework in the European Union created by DORA applies for all ICT third-party service providers, and therefore also for cloud service providers, providing that they have been identified and designated as critical ICT third-party service providers. (Recital 20 DORA)
Through the Joint Committee, the ESAs, establish, publish and update the list of critical ICT third-party service providers at Union level annually (Article 31(9) DORA).
In addition the ICT third-party service provider informs the financial undertakings that they perform services for about their designation as critical (Article 31(5) DORA).
The contents on this website as well as hyperlinks to third party websites serve the purpose of providing general and non-binding information. These “Questions and Answers” do not constitute the FMA’s binding interpretation and in particular do not constitute interpretation within the scope of the question and answer processes (Q&As) of the three European Supervisory Authorities (EBA – European Banking Authority, ESMA – European Securities and Markets Authority, and EIOPA – European Insurance and Occupational Pensions Authority). All information on this website is provided without any guarantee, especially with regard to its up-to-dateness, completeness and correctness, and the FMA, including its employees or the persons responsible for this website, assume no liability whatsoever for the content; in addition, the FMA neither guarantees nor assumes liability for the use of hyperlinks or content that can be accessed via them.
Legal bases
Information regarding the legal bases for DORA can be found on the FMA’s “DORA – Digital Operational Resilience in the Financial Sector” web page.