Upcoming DORA deadlines: reporting registers and the roadmap to designating critical tech providers

With the Digital Operational Resilience Act (DORA) applicable since 17 January 2025, the first post-application date milestone is looming. 

In-scope financial entities are required to report to their competent authority their registers of information in relation to all contractual arrangements on the use of information and communication technology (ICT) services provided by ICT third-party service providers in the coming weeks. The competent authorities are then required to report these registers of information themselves to the ESAs by 30 April 2025.

On 18 February 2025, the European Supervisory Authorities (ESAs) published a note with the key steps involved in the process of designating "critical" ICT third party service providers (CTPPs) as such, This will ultimately result in the DORA-mandated pan-European oversight framework of CTPPs. ICT third-party service providers not designated as critical may voluntarily request to be designated as critical once the list of CTPPs is published.

The designation of CTPPs in 2025

The relevance of designating ICT third-party service providers as "critical" is that DORA requires such CTPPs to be subject to oversight and there are certain obligations imposed on CTPPs under DORA which will need to be adhered to.

Financial entities are required to ensure that their CTPPs comply with DORA requirements. This means that financial entities must conduct due diligence, monitor performance, and ensure that their contracts include provisions that reflect the regulatory obligations under DORA.

The next steps in the designation of CTPPs will take the form of the following:

The graphic shows that when ICT third-party service providers are designated as "critical" by the ESAs, there will be an opportunity to challenge such designation. It is expected that the initial designation of CTPPs occur by the end of July 2025, following which there will be a six-week period for such entities to challenge their designation with a "reasonable statement" and by providing supporting documentation.

In the meantime, the Central Bank of Ireland has updated its website to provide guidance for financial entities on how and when their registers of information should be submitted. The window for financial entities to make such submissions to the Central Bank is from 1 to 4 April 2025 and submission is to be made via its portal.

How Ogier can help

Ogier can assist you in navigating your DORA obligations and ensuring compliance. For personalised advice, please contact our team via their contact details below.

About Ogier

Ogier is a professional services firm with the knowledge and expertise to handle the most demanding and complex transactions and provide expert, efficient and cost-effective services to all our clients. We regularly win awards for the quality of our client service, our work and our people.

Disclaimer

This client briefing has been prepared for clients and professional associates of Ogier. The information and expressions of opinion which it contains are not intended to be a comprehensive study or to provide legal advice and should not be treated as a substitute for specific advice concerning individual situations.

Regulatory information can be found under Legal Notice