Reporting RequirementLiveReporting RequirementsGuidance Update
European Supervisory Authorities announce timeline and reporting approach for CTPP designation under DORA (registers of information)
EU Digital Operational Resilience Act (DORA) — oversight of critical ICT third-party service providers (CTPPs)European Supervisory Authorities (EBA, ESMA, EIOPA)EU
Announced
Jan 22, 2025
Description
The European Supervisory Authorities (ESAs) communicated the timeline and reporting approach for the designation of critical ICT third-party service providers (CTPPs) under DORA, supported by an ESA Decision and associated data model for the DORA register of information. This affects vendor cybersecurity & data privacy by operationalizing supervisory oversight of ICT vendors serving EU financial entities and by driving standardized collection/reporting of ICT third-party contractual and service information (via competent authorities and regulated entities’ registers of information). Vendors supporting EU financial entities should anticipate increased information requests, structured data expectations, and governance requirements tied to DORA third-party risk oversight.
Sources
- OfficialThe ESAs announce timeline to collect information for the designation of critical ICT third-party service providers under the Digital Operational Resilience Act | European Banking Authority
- Official[PDF] ESA 2024 22 Decision on reporting of information for CTPP designation
- Official[PDF] CORRIGENDUM - European Banking Authority (ESA 2025 02)
- Official[PDF] Data Model for DORA Register of Information (RoI)