Critical ICT Providers under DORA

The designation of the first Critical ICT Third-Party Providers (CTPPs) under DORA marks a new phase in the supervision of ICT third-party risk in European financial institutions. The new framework has major implications for ECB-supervised banks. That is especially important given that in relative terms, ICT risk remains the weakest performing SREP category. Supervisors view banks’ growing reliance on third parties as a potential source of operational and systemic risk.

DORA’s new oversight framework will assess designated CTPPs’ ability to deliver safe and reliable services to financial institutions. Assessments will cover areas such as ICT security and resilience, governance, incident management, physical security, testing and audit. Where weaknesses are identified, supervisors can issue CTPPs with recommendations for improvement.

DORA also establishes a structured link between supervisory findings on CTPPs and financial institutions’ internal ICT risk management processes. Competent authorities, including the ECB, must inform affected financial entities about risks identified at CTPPs, and institutions are expected to factor this in to their ICT third-party risk management.

This establishes a feedback loop, in which supervisory findings at CTPPs are increasingly likely to influence supervisory assessments of banks’ ICT risk management frameworks. Supervisory discussions will increasingly focus on how banks incorporate supervisory insights on CTPPs into their own risk management processes. Supervisors expect banks to demonstrate a clear and traceable process showing how information about CTPP risks is:

obtained and analysed
assessed with regard to the institution’s ICT dependencies
reflected in internal risk assessments and mitigation measures.

Supervisory scrutiny is particularly likely where services provided by CTPPs are essential to the resilience of critical or important functions (CIFs). Areas of potential focus could include:

Monitoring of CTPP-related developments:

Supervisors are likely to examine how banks monitor developments related to CTPPs and assess their relevance for the institution’s ICT dependencies. Processes such as the systematic capture and analysis of supervisory findings, engaging with key ICT providers, and integrating this data into ICT third-party risk management frameworks may help to meet expectations.
Dependencies on Critical or Important Functions (CIFs):

Supervisory attention is particularly likely when services provided by CTPPs support banks’ CIFs. In such cases, discussions would focus on how firms assess the potential impact of CTPP weaknesses on the resilience of supported services - including severe-but-plausible disruption scenarios, contingency plans, and substitution options.
Integration into Internal Risk Management:

Supervisors would expect clear, auditable links between CTPP findings and banks’ internal risk assessments. This could include updating risk registers, assessing residual risk after mitigation measures, documenting management risk acceptance and linking CTPP findings with operational resilience analyses.
Governance and the Three Lines of Defence:

Given the systemic importance of CTPPs, supervisors are likely to focus on the monitoring and oversight of any dependencies. This might include regular governance reporting on CTPP exposures and escalation processes for significant risks. The role of second-line functions in dependency monitoring and the coverage of CTPPs within risk-based internal audit planning may also be scrutinised.
Mitigation Measures and Exit Strategies

Supervisors will most likely ask how institutions manage concentration risks and potentially exit from individual CTPPs. Discussions could focus on contractual safeguards, contingency arrangements, or exit strategies. Reliance on a single provider without credible mitigation may attract increased scrutiny.

The introduction of CTPP oversight under DORA introduces a structural shift in how ICT third-party risk are managed and supervised across Europe. ICT providers face new regulatory expectations; however, financial institutions remain responsible for managing the risks arising from reliance on those services. Supervisory findings on CTPPs are likely to play a growing role in how the ECB assesses banks’ ICT risk management and operational resilience frameworks.

Institutions that can demonstrate a structured approach to analysing such findings and reflecting them in their internal risk management processes will be at an advantage in future supervisory dialogue and SREP assessments.