Preparing for the Designation of Critical ICT Third-Party Providers Under DORA

As the financial sector gears up for the implementation of the Digital Operational Resilience Act (DORA) in January 2025, the European Supervisory Authorities (ESAs)—comprising EBA, EIOPA, and ESMA—have outlined the next steps for designating critical ICT third-party service providers (CTPPs). This process is central to DORA’s aim of strengthening digital operational resilience across the financial sector. 

Key Timeline and Reporting Obligations 
The ESAs have set a crucial deadline: by 30 April 2025, competent authorities must submit the registers of information detailing financial entities’ contractual arrangements with ICT third-party service providers. This marks the first step in identifying and overseeing providers deemed critical to the EU financial ecosystem. Competent authorities are expected to gather this information from financial entities ahead of the April deadline, following their own schedules to ensure timely compliance. 
 

Framework for Reporting
The ESAs’ Decision provides a structured framework for submitting information related to the designation of CTPPs. This framework includes: 
  • Timelines and frequency for reporting. 
  • Procedures for submission, ensuring data quality and enabling revisions. 
  • Confidentiality and access rules to safeguard sensitive information.
While the official implementing technical standards (ITS) for Registers of Information are still pending EU Commission adoption, the core requirements have been available since January 2024. Financial entities are encouraged to begin preparations now, focusing on gathering data that might take time to compile, such as unique identifiers for their ICT providers. 
 

Industry Support and Dry Run Insights 
To aid financial entities in meeting these requirements, the ESAs have taken proactive steps: 
  1. Draft Reporting Tools: In May 2024, the ESAs shared draft templates, a data point model, and a reporting technical package. 
  2. Dry Run Exercise: Around 1,000 financial entities participated in a voluntary exercise to test the reporting of Registers of Information, providing valuable insights into the practical aspects of compliance. 

Additionally, the ESAs have published a list of validation rules and a visual representation of the data model. These will be integrated into an updated reporting package, including a revised taxonomy, data point model, and validation rules, set for release in December 2024. 

 
What Financial Entities Should Do Now 
With the DORA implementation date drawing closer, financial entities should take the following actions to ensure compliance: 
  1. Start Early: Begin preparing the Registers of Information now, focusing on collecting and verifying all necessary data. 
  2. Utilise Draft Tools: Leverage the draft templates and validation rules provided by the ESAs to align reporting efforts with expected requirements. 
  3. Engage with Competent Authorities: Stay in close contact with national regulators to ensure submissions meet local timelines. 
  4. Monitor Updates: Keep track of further announcements from the ESAs, particularly the updated reporting technical package in December 2024. 
 

Building Resilience Through Collaboration 
The designation of critical ICT third-party providers under DORA is a significant milestone in ensuring the stability and security of the EU financial system. By engaging with the ESAs’ reporting framework and utilising the resources made available, financial entities can contribute to a more resilient and transparent ecosystem. 
As deadlines approach, proactive preparation and collaboration with regulators will be key to meeting these new standards and supporting the broader goals of DORA. 

Want to know more?
For further advice or support on preparing for DORA Compliance, Contact our team at technology@bdo.com.mt and we’ll help guide you through the process to ensure your compliance by the deadline.