European Union: DORA update – Upcoming designations of critical third-party providers

26 Feb 2025    3 minute read
DORA Operational Resilience Digital Transformation ICT Critical Third Parties FSR Outsourcing Cybersecurity & Data Privacy

In brief

The European Supervisory Authorities (ESAs) are preparing to designate critical third-party service providers (CTPPs) under the Digital Operational Resilience Act (DORA). DORA, which came into force on 17 January 2025, enables the ESAs to designate key ICT providers to the EU financial services sector as critical, subjecting them to direct supervisory and oversight obligations. The ESAs have recently published a roadmap indicating their expected timeline for designations – with the final designations expected to be in place by the end of this year. For more on DORA generally, see our previous alerts here, here and here.

Contents

The designation process

By 30 April 2025, the ESAs will collect registers of information (ROI) from financial institutions. DORA requires financial institutions to maintain ROIs in respect of the ICT services they receive and submit these to their respective competent authorities. The ESAs will collect these from the competent authorities to assess criticality, and begin notifying service providers of their classification by July 2025. DORA broadly requires the ESAs to consider the following factors:

  • The impact on the stability, continuity, or quality of the provision of financial services in the event of operational failures or outages.
  • The importance of the financial institutions using the services of the ICT provider, including whether any clients are global systemically important institutions or other systemically important institutions.
  • The reliance on the services provided for a financial entity's critical or important functions.
  • The ease of substituting that provider with another provider, including the availability of alternatives, the handover process to such alternatives, and the ease of data migration.

Once an ICT provider receives a notification, a six-week hearing period will commence, which will allow ICT providers to make recommendations. During this window, designated ICT providers will be able to raise objections with a reasoned statement supplemented by relevant supporting information. Following the hearing period, final designations will be made, and the oversight regime will commence.

Designated CTPPs will be subject to several obligations, including risk management requirements, operational resilience requirements (including testing), location requirements (such as establishing an EU subsidiary within 12 months of designation), and compliance with information requests from the lead overseer. Additionally, CTPPs will be required to pay oversight fees, and DORA provides for enforcement powers in cases of non-compliance.

Impact on ICT firms

The new regulatory oversight regime marks a major change for ICT firms, who may be less familiar with such scrutiny compared to the financial entities that they provide services to. Designation will bring compliance and risk management duties, which is likely to have significant impacts on internal corporate governance and reporting lines. ICT providers should assess their operations against the ESAs' criteria and, if concerned about designation, address whether they are in a position to comply with the requirements of the oversight regime and redress any gaps promptly. ICT firms should also consider whether they would be able to raise any objections to designation and begin gathering supporting evidence to be in the strongest position possible for the six-week hearing window.

Impact on financial institutions

DORA imposes certain compliance obligations on financial institutions regarding the CTPPs they receive services from. For instance, if a CTPP does not establish an EU subsidiary within the 12-month window, the financial institution will be prohibited from using that CTPP's services.

However, it remains unclear whether designated CTPPs will renegotiate or amend ICT service contracts to address their obligations under the CTPP regime, although this possibility exists. Financial entities working with ICT providers that might be designated as a CTPP should review their compliance programs and contractual arrangements to ensure they can comply with DORA's requirements with minimal impact on business and operational continuity.

Contact Information
Caitlin McErlane
Partner
London
Read my Bio
caitlin.mcerlane@bakermckenzie.com
Sue McLean
Partner
London
Read my Bio
sue.mclean@bakermckenzie.com
Ben Thatcher
Associate
London
Read my Bio
ben.thatcher@bakermckenzie.com

Copyright © 2025 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.