{"id":160749,"date":"2024-07-23T15:09:18","date_gmt":"2024-07-23T13:09:18","guid":{"rendered":"https:\/\/www.fma.gv.at\/?page_id=160749"},"modified":"2025-11-26T08:52:42","modified_gmt":"2025-11-26T07:52:42","slug":"dora-oversight-framework-of-critical-ict-third-party-service-providers","status":"publish","type":"page","link":"https:\/\/www.fma.gv.at\/en\/cross-sectoral-topics\/dora\/dora-oversight-framework-of-critical-ict-third-party-service-providers\/","title":{"rendered":"DORA \u2013 Oversight framework of critical ICT third-party service providers"},"content":{"rendered":"
\"\"<\/span>
\n

ICT third-party service providers<\/strong><\/p>\n<\/div><\/div>

<\/div>

The Digital Operational Resilience Act (DORA) creates an oversight framework for the ongoing monitoring of the activities of information and communication technology service providers (ICT third-party service providers) that are critical ICT third-party service providers for financial undertakings. In particular this is in reaction to the increased outsourcing in the ICT area and the concentration of dependencies of ICT third-party service providers.<\/p>

The Lead Overseers will collect oversight fees from critical ICT third-party service providers to cover the costs arising from the Oversight Framework.<\/p>

Critical ICT third-party service providers<\/h2>

ICT third-party service providers are classified as critical by the European Supervisory Authorities (ESAs<\/a>) based on prescribed criteria that in turn are based on the registers of information prepared by the financial undertakings. ICT third-party service providers themselves may also apply for a review of their designation as critical.  <\/p>

The annually updated list of critical third-party ICT service providers was first published on November 18, 2025:<\/p>

List_of_designated_CTPPs.pdf <\/a><\/p>

Lead Overseer<\/h2>

The Lead Overseer subsequently conducts the monitoring of the critical ICT third-party service providers that have been allocated to it. Dependent on the extent of usage of critical ICT third-party service providers by the respective supervised financial undertakings, measures in terms of their total assets, the European Banking Authority (EBA) or the European Insurance and Occupational Pensions Authority (EIOPA) or the European Securities and Markets Authority (ESMA) acts as the Lead Overseer (LO). <\/p>

The Lead Overseer assesses the third-party service providers’ management of ICT risks. For conducting this duty it has the power to request information, to conduct general investigations and on-site Inspections, to make recommendations and to request information about the measures taken on the basis of such recommendations by the ICT third-party service providers.<\/p>

Specific players in the Oversight Framework<\/h2>

Lead Overseers are assisted by Joint Examination Teams (JETs) in conducting their activities, that staff members of competent authorities also work in.<\/p>

The coordination between the Lead Overseers takes place in the Joint Oversight Network. <\/p>

An Oversight Forum has been established that is a Subcommittee of the Joint Committee of the three European Supervisory Authorities, of which representatives of competent authorities are also members. Its duties are to assist and advise on the activities of the Joint Committee of the European Supervisory Authorities, including the preparation of the designation and naming of critical ICT third-party service providers, preparing draft joint positions and draft common acts of the Joint Committee, the annual assessment of monitoring activities or the promotion of coordination measures to increase the digital operational resilience of financial undertakings.<\/p>

Follow-up by competent authorities<\/h2>

Risks that have been determined in the recommendations of the Lead Overseers to critical ICT third-party service providers are communicated by the competent authorities to financial undertakings that use these critical ICT third-party service providers. <\/p>

The supervised entities subsequently take this information into account in their managing of ICT third-party risk. In the event that this is not done adequately from the perspective of the competent authorities, as a last resort they may instruct the partial or complete suspension of services by the critical ICT third-party service providers.<\/p>

Questions and Answers<\/h2>