DORA oversight
The Digital Operational Resilience Act (DORA) establishes an EU-wide oversight framework for critical ICT (information and communication technology) third-party providers (CTPPs) to ensure that the financial sector remains secure and resilient against ICT disruptions.
Under DORA, the European Supervisory Authorities (EBA, EIOPA and ESMA) are responsible for designating third-party providers as critical and acting as their Lead Overseers, coordinating oversight actions across the Union.
The oversight framework helps to address potential systemic and concentration risks arising from the financial sector's reliance on a limited number of ICT providers. It complements, rather than replaces, financial entities' own responsibilities for managing ICT-related risks and the supervision already exercised over them by competent authorities (CA).
In this page, the ESAs provide updated the relevant information and resources concerning the oversight framework and the oversight activities performed.
Key concepts relating to the DORA oversight framework
| Lead Overseer | The Lead Overseer (LO) is one of the European Supervisory Authorities (ESAs) responsible to conduct the oversight activities for the CTPP(s) relevant for its financial sector. The LO is appointed according to Article 31(1) point (b) of DORA. The LO is supported by Joint Examination Teams (JETs) including staff from the ESAs and relevant CAs. From an operational perspective, the ESAs are organised through a single joint-Directorate performing the oversight of CTPPs as “one team”. |
| CTPP | A critical ICT third party service provider, or CTPP, is an ICT third party service provider (defined in point 19 of Article 3 of DORA) serving financial entities in Europe designated by the ESAs as critical in application of Article 31 of DORA and of Commission Delegated Regulation (EU) 2024/0502. The list of CTPPs is published on the websites of the ESAs. |
| DORA oversight activities | The set of activities that the ESAs carry out as part of the CTPPs’ oversight composed by: (i) designation; (ii) risk assessment; (iii) planning; (iv) execution of oversight examinations; (v) issuance and follow up of recommendations. The activities and the approach undertaken by the ESAs are described in the Oversight Guide. |
| Oversight Forum | The Oversight Forum (OF) is the standing committee of the ESAs dedicated to DORA oversight, set up as a Joint Committee sub-committee. It carries out preparatory work both for certain individual acts addressed to CTPPs, and for the issuing of collective recommendations by the JC, ensuring a consistent approach to oversight activities. It is composed of the chairpersons of the ESAs, senior representatives from CAs and several observers from national and European authorities The oversight forum is established according to Article 32 of DORA. |
| Joint Examination Team | When conducting oversight activities, the ESAs are assisted by Joint Examination Teams. A dedicated JET is established for each CTPP according to Article 40 of DORA and Commission Delegated Regulation (EU) 2025/420. The Joint Examination Team works under the coordination of a designated staff member of the ESAs, the ‘LO coordinator’. |
| Competent Authority | The relevant competent authorities defined in Article 46 of DORA in charge to supervise financial entities’ compliance to DORA. |
Regulatory framework
The links below point to the applicable Regulation, ESAs guidelines and Decisions that are relevant for the DORA Oversight over CTPPs.
Level 1
Level 2 – Regulatory, implementing and delegated acts in the official journal
- Commission Delegated Regulation (EU) 2025/295 on Harmonisation of conditions enabling the conduct of the oversight activities
- Commission Delegated Regulation (EU) 2024/1502 specifying the criteria for the designation of ICT third-party service providers as critical for financial entities
- Commission Delegated Regulation (EU) 2025/420 on Joint Examination Team
Level 3 – Guidelines issued by the ESAs
ESAs decision on reporting of the register of information
Reporting tools
Oversight guide
This guide provides high-level explanations to external stakeholders regarding the CTPP Oversight framework. It also provides an overview of the governance structure, the oversight processes, the founding principles and the tools available to the overseers.
However, the guide is not a legally binding document and does not replace the legal requirements laid down in the relevant applicable EU law.
List of critical ICT third party service providers (CTPPs)
According to Article 31(8) of DORA, the ESAs publish and update the list of CTPPs across the EU on an annual basis.
Oversight Forum
Established according to Article 32 of DORA, the Oversight Forum is the standing committee of the ESAs dedicated to DORA oversight, set up as a Joint Committee sub-committee.
The Oversight Forum, where appropriate, may seek the advice of independent experts appointed according to Article 32(6) of DORA by following the Rules and Procedures for the engagement of independent experts (R&P), adopted as a joint decision of the three ESAs’ Boards of Supervisors.
The R&P foresees a transparent establishment of a pool of experts from which the Oversight Forum may appoint experts. The ESAs will publish the names of the contracted independent experts.
Opt-in
ICT TPPs that are not automatically designated by the ESAs have the option to voluntarily request an assessment for CTPP designation by following the process described at the link below.
Contacts
ESA-DORA-Oversight[at]eba.europa.eu
Publications
ESAs Decision on reporting of information for CTPP designation (corrigendum consolidated)
(253.12 KB - PDF)