Latest Posts
Search for:
Critical Third Parties

European Union: DORA update – Upcoming designations of critical third-party providers

By , and 4 Mins Read

In brief

The European Supervisory Authorities (ESAs) are preparing to designate critical third-party service providers (CTPPs) under the Digital Operational Resilience Act (DORA). DORA, which came into force on 17 January 2025, enables the ESAs to designate key ICT providers to the EU financial services sector as critical, subjecting them to direct supervisory and oversight obligations. The ESAs have recently published a roadmap indicating their expected timeline for designations – with the final designations expected to be in place by the end of this year. For more on DORA generally, see our previous alerts herehere and here.

The designation process

By 30 April 2025, the ESAs will collect registers of information (ROI) from financial institutions. DORA requires financial institutions to maintain ROIs in respect of the ICT services they receive and submit these to their respective competent authorities. The ESAs will collect these from the competent authorities to assess criticality, and begin notifying service providers of their classification by July 2025. DORA broadly requires the ESAs to consider the following factors:

  • The impact on the stability, continuity, or quality of the provision of financial services in the event of operational failures or outages.
  • The importance of the financial institutions using the services of the ICT provider, including whether any clients are global systemically important institutions or other systemically important institutions.
  • The reliance on the services provided for a financial entity’s critical or important functions.
  • The ease of substituting that provider with another provider, including the availability of alternatives, the handover process to such alternatives, and the ease of data migration.

Once an ICT provider receives a notification, a six-week hearing period will commence, which will allow ICT providers to make recommendations. During this window, designated ICT providers will be able to raise objections with a reasoned statement supplemented by relevant supporting information. Following the hearing period, final designations will be made, and the oversight regime will commence.

Designated CTPPs will be subject to several obligations, including risk management requirements, operational resilience requirements (including testing), location requirements (such as establishing an EU subsidiary within 12 months of designation), and compliance with information requests from the lead overseer. Additionally, CTPPs will be required to pay oversight fees, and DORA provides for enforcement powers in cases of non-compliance.

Impact on ICT firms

The new regulatory oversight regime marks a major change for ICT firms, who may be less familiar with such scrutiny compared to the financial entities that they provide services to. Designation will bring compliance and risk management duties, which is likely to have significant impacts on internal corporate governance and reporting lines. ICT providers should assess their operations against the ESAs’ criteria and, if concerned about designation, address whether they are in a position to comply with the requirements of the oversight regime and redress any gaps promptly. ICT firms should also consider whether they would be able to raise any objections to designation and begin gathering supporting evidence to be in the strongest position possible for the six-week hearing window.

Impact on financial institutions

DORA imposes certain compliance obligations on financial institutions regarding the CTPPs they receive services from. For instance, if a CTPP does not establish an EU subsidiary within the 12-month window, the financial institution will be prohibited from using that CTPP’s services.

However, it remains unclear whether designated CTPPs will renegotiate or amend ICT service contracts to address their obligations under the CTPP regime, although this possibility exists. Financial entities working with ICT providers that might be designated as a CTPP should review their compliance programs and contractual arrangements to ensure they can comply with DORA’s requirements with minimal impact on business and operational continuity.

Categories:
Author

Caitlin is a partner in Baker McKenzie’s Financial Services Regulatory practice group in the London office. Caitlin's practice focuses on advising a range of global financial institutions on complex and high value regulatory matters. She advises banks, major corporates, payment institutions and asset managers on navigating UK and EU financial services regulation. She has particular experience in advising clients on regulatory implementation projects, day-to-day compliance issues, and regulatory issues arising in the context of large-scale transactions. She also expertise in the areas of banking and wholesale financial markets regulation, in particular in the FX and fixed income space, alongside experience advising market infrastructure providers, including major international exchanges, trading platforms, clearing systems and payment services providers, on a variety of compliance issues. Caitlin is also a member of the Baker's ESG and sustainability taskforce, and advises a range of clients on the drafting and implementation of ESG policies and the implications of becoming a signatory to the UNPRI and the Stewardship Code. Caitlin is an authority on regulatory reforms in the sustainability space and sits on a number of trade association working groups. She has recently been interviewed by Climate Action on her work and is a frequent speaker on the subject.

Author

Sue is a partner in Baker McKenzie's IP, Data and Technology team based in London. Sue advises on complex technology and commercial deals and projects. Sue has advised on technology projects for over 24 years. She advises on strategic technology deals including cloud, outsourcing, digital transformation and development and licensing. She also advises on a range of legal and regulatory issues relating to the development and roll-out of new technologies including AI, blockchain/DLT and crypto-assets. Sue is a key member of our global AI practice and leads on responsible AI governance and AI related transactional projects at the firm. Sue co-leads our Commercial practice in London. On the commercial side, Sue's practice involves advising on a range of strategic commercial agreements including supply and distribution agreements, manufacturing agreements, warehousing and logistics agreements, IP licensing and assignment agreements, joint development agreements, collaboration agreements and franchising agreements. She also supports clients in preparing terms of business and related documentation for new offerings and coordinating global roll-outs. Sue also co-leads our transactional practice in London supporting our Corporate teams and providing strategic support on the commercial, technology and intellectual property aspects of M&A transactions, including advising on complex and strategic ancillary commercial, IP and transitional agreements related to acquisitions, disposals, carve-outs and JVs. Sue is ranked as a leading lawyer in Chambers for Information Technology & Outsourcing and Fintech Legal and in Legal500 for IT & Telecoms, TMT, Commercial Contracts and Fintech. Clients say of Sue: "She is pragmatic and focused on getting a sensible deal done" and "She quickly builds relationships with ease and leverages her network to gain valuable insight. Her knowledge of technology and the impact of existing and upcoming laws is evident. Her professionalism builds trust and we have been grateful for her responsiveness on urgent matters". Sue's practice involves advising clients across a range of sectors including TMT, healthcare, financial services, consumer goods and retail, EMI and IMT. Sue is a key member of our global financial services industry group. She is also an active member of our HLS and CGR industry groups. Sue is vice chair and a trustee of the Society for Computers and Law and founder and chair of the SCL Women in Tech Law network.

Author

Ben Thatcher is an associate in the Financial Services Regulatory team of Baker McKenzie London.

Related Posts