.svg)
The European Supervisory Authorities (EBA, EIOPA, and ESMA) have published their roadmap for designating critical ICT third-party service providers (CTPPs) under the Digital Operational Resilience Act (DORA).
Once designated, CTPPs are likely to be major ICT service providers, such as cloud computing, data analytics and cybersecurity firms. This could include the likes of Microsoft and Amazon Web Services.
The process, set to conclude this year, will mark the start of active oversight, and national competent authorities will be required to submit their registers of information on ICT third-party arrangements by April 30, 2025.
The ESAs will then conduct criticality assessments, notifying designated providers by July, with a six-week objection period following before final designation and oversight engagement.
To support the transition, the ESAs have also announced plans to hold an online workshop in Q2 2025, with further details to come.
