The Digital Operational Resilience Act (DORA) establishes an EU-wide oversight framework for critical ICT (information and communication technology) third-party providers (CTPPs) to ensure that the financial sector remains secure and resilient against ICT disruptions.
Under DORA, the European Supervisory Authorities (EBA, EIOPA and ESMA) are responsible for designating third-party providers as critical and acting as their Lead Overseers, coordinating oversight actions across the Union.
The oversight framework helps to address potential systemic and concentration risks arising from the financial sector's reliance on a limited number of ICT providers. It complements, rather than replaces, financial entities' own responsibilities for managing ICT-related risks and the supervision already exercised over them by competent authorities (CA).
On this page, the ESAs provide relevant information and resources concerning the oversight framework and the oversight activities performed.
Key concepts relating to the DORA oversight framework
- Lead Overseer
The Lead Overseer (LO) is one of the European Supervisory Authorities (ESAs) responsible to conduct the oversight activities for the CTPP(s) relevant for its financial sector. The LO is appointed according to Article 31(1) point (b) of DORA. The LO is supported by Joint Examination Teams (JETs) including staff from the ESAs and relevant CAs.
From an operational perspective, the ESAs are organised through a single joint-Directorate performing the oversight of CTPPs as “one team”.
- CTPP
A critical ICT third party service provider, or CTPP, is an ICT third party service provider (defined in point 19 of Article 3 of DORA) serving financial entities in Europe designated by the ESAs as critical in application of Article 31 of DORA and of Commission Delegated Regulation (EU) 2024/0502.
The list of CTPPs is published on the websites of the ESAs.
- DORA oversight activities
The set of activities that the ESAs carry out as part of the CTPPs’ oversight composed by: (i) designation; (ii) risk assessment; (iii) planning; (iv) execution of oversight examinations; (v) issuance and follow up of recommendations.
The activities and the approach undertaken by the ESAs are described in the Oversight Guide.
- Oversight Forum
The Oversight Forum (OF) is the standing committee of the ESAs dedicated to DORA oversight, set up as a Joint Committee sub-committee. It carries out preparatory work both for certain individual acts addressed to CTPPs, and for the issuing of collective recommendations by the JC, ensuring a consistent approach to oversight activities. It is composed of the chairpersons of the ESAs, senior representatives from CAs and several observers from national and European authorities
The oversight forum is established according to Article 32 of DORA.
- Joint Examination Team
When conducting oversight activities, the ESAs are assisted by Joint Examination Teams. A dedicated JET is established for each CTPP according to Article 40 of DORA and Commission Delegated Regulation (EU) 2025/420.
The Joint Examination Team works under the coordination of a designated staff member of the ESAs, the ‘LO coordinator’.
- Competent Authority
The relevant competent authorities defined in Article 46 of DORA in charge to supervise financial entities’ compliance to DORA.
Regulatory framework
The links below point to the applicable Regulation, ESAs guidelines and Decisions that are relevant for the DORA Oversight over CTPPs.
Level 1 – Regulation
Level 2 – Regulatory, implementing and delegated acts in the official journal
- Commission Delegated Regulation (EU) 2025/295 on Harmonisation of conditions enabling the conduct of the oversight activities
- Commission Delegated Regulation (EU) 2024/1502 specifying the criteria for the designation of ICT third-party service providers as critical for financial entities
- Commission Delegated Regulation (EU) 2025/420 on Joint Examination Team
Level 3 – Guidelines issued by the ESAs
ESAs decision on reporting of the register of information
Reporting tools
Oversight guide
This guide provides high-level explanations to external stakeholders regarding the CTPP Oversight framework. It also provides an overview of the governance structure, the oversight processes, the founding principles and the tools available to the overseers.
However, the guide is not a legally binding document and does not replace the legal requirements laid down in the relevant applicable EU law.
Opt-in
ICT TPPs that are not automatically designated by the ESAs have the option to voluntarily request an assessment for CTPP designation by following the process described at the link below.
DORA Article 31(11) allows ICT third-party service providers (ICT TPP) not included in the list of critical TPPs (CTPPs) by the ESAs to request designation as CTPP. For that purpose, an ICT TPP shall submit a reasoned application to the ESAs. The information required for the reasoned application is listed in Article 1 of the Commission Delegated Regulation (EU) 2025/295. The objective of the opt-in procedure is to enable ICT third-party service providers to bring to the ESAs’ attention relevant information or circumstances that may warrant consideration for critical designation outside the regular assessment cycle. The reasoned application will be assessed considering the criticality criteria used to designate the CTPPs and the additional information that will be submitted by the opt-in ICT TPP. The ESAs will reply within 6 months of formal reception of the reasoned application.
As per Article 4(3) of the Commission Delegated Regulation (EU) 2024/1505, an opt-in application is subject to the payment of a fixed opt-in fee of EUR 50,000. The payment of the opt-in fee is expected to accompany the application. To facilitate the invoicing process, an application shall therefore include a completed business partner form.
Before the formal application, any ICT TPP planning to request designation as CTPP is encouraged to submit to the ESAs an informal “draft application” to enable the ESAs to check whether the documents meet the requirements for formal application.
Where the ICT TPP belongs to a group, the information composing the reasoned application shall be provided in relation to the ICT services provided by the group as a whole.
The application form to be used (including to prepare the “draft application”) is available here: Opt-in Form
The information and documents composing the application shall be provided to the ESAs with the application form in a readable format (e.g. Word, Excel or PDF documents).
To provide the reasoned application to the ESAs, or for any questions related to the opt-in process, ICT TPPs should write to esa-dora-oversight
eba [dot] europa [dot] eu (esa-dora-oversight[at]eba[dot]europa[dot]eu).
EU ICT TPPs are invited to send their reasoned application (including all documents supporting the application) in English, to facilitate the application process. Non-EU entities are required to submit their applications in English.
Oversight forum
Established according to Article 32 of DORA, the Oversight Forum is the standing committee of the ESAs dedicated to DORA oversight, set up as a Joint Committee sub-committee.
The Oversight Forum, where appropriate, may seek the advice of independent experts appointed according to Article 32(6) of DORA by following the Rules and Procedures for the engagement of independent experts (R&P), adopted as a joint decision of the three ESAs’ Boards of Supervisors.
The R&P foresees a transparent establishment of a pool of experts from which the Oversight Forum may appoint experts. The ESAs will publish the names of the contracted independent experts.
Contacts
ESA-DORA-Oversighteba [dot] europa [dot] eu (ESA-DORA-Oversight[at]eba[dot]europa[dot]eu)
Other useful resources
Personal data protection
The information on the processing of personal data in the context of DORA oversight is available here.