The European Supervisory Authorities (ESAs) have published a guide detailing how joint examination teams will supervise critical ICT third-party service providers under the Digital Operational Resilience Act (DORA).

The EU regulation came into force on 17 January 2025 and aims to strengthen digital operational resilience in the financial sector.

The ESAs, comprising the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA), stated that the guide provides “high-level explanations” to external stakeholders regarding the critical third-party provider (CTPP) oversight framework.

It also offers CTPPs, financial entities (FE), competent authorities (CA) and the general public an overview of the governance structure, oversight processes, the founding principles and the tools available to the overseers.

The ESAs encouraged relevant stakeholders to use the document to prepare for the oversight implementation.

Under DORA, the three ESAs are responsible for overseeing CTPPs on a pan-European scale, enhancing the overall digital operational resilience across the various EU financial areas.

“This oversight framework helps to address potential systemic and concentration risks arising from the financial sector's reliance on a limited number of ICT providers. It complements, rather than replaces, financial entities' responsibilities for managing ICT-related risks and the supervision already exercised over them by competent authorities,” the guide stated.

As part of their supervision, the ESAs are responsible for designating as CTPPs those ICT service providers serving financial entities in Europe that are critical to each of the financial sectors under their remit.

Each ESA then assumes the role of lead overseer for the CTPPs within their respective financial sector. In this capacity, they conduct oversight activities in collaboration with the relevant CAs, ensuring a coordinated approach to ICT risk management across the financial landscape.

“The ESAs have powers to request information, conduct general investigations and inspections, issue recommendations, monitor their implementation, and impose periodic penalty payments on CTPPs. These oversight tasks are carried out by Joint Examination Teams (JETs), composed of staff from the ESAs, from the relevant CAs supervising FEs in the EU and the network and information service (NIS) authorities supervising the CTPPs,” the guide stated.

As part of the framework, a joint oversight network and oversight forum have been set up, with responsibility to ensure the “upholding of a coordinated, outcome-focused and proportionate framework, with a focus on harbouring trust, as well as oversight accountability and transparency”.

Furthermore, the three ESAs have also set up a joint oversight venture (JOV), led by a joint oversight director, to “maximise synergies, ensure consistency in the oversight tasks and to achieve a more efficient use of resources”.

“The establishment of this organisation, which has become operational since October 2024, ensures that the day-to-day oversight is performed with a cross-sectoral integrated approach. Operationally, all oversight activities are performed within the remit of the JOV,” the guide stated.

---