DORA Oversight Activities
Digital resilience has become a defining regulatory challenge for ICT service providers supporting the financial sector. With growing scrutiny and new layers of oversight, many ICT third-party service providers ("ICTSPs") find themselves facing obligations and expectations well beyond traditional commercial relationships.
On 15 July 2025, the European Supervisory Authorities ("ESAs") released their long-awaited Guide on Oversight Activities under the Digital Operational Resilience Act ("DORA") clarifying how ICTSPs will be overseen under the new regime.
As we have previously explored, DORA, which came into force in January 2025, introduces a unified EU framework to bolster operational resilience of financial entities and mitigate systemic risks stemming in particular from concentrated dependencies on ICTSPs. The new Guide offers a practical roadmap for all stakeholders including the financial entities, ICTSPs and the national competent authorities, detailing how the oversight process will pragmatically unfold.
Here, we take a quick look at how the oversight process will work under DORA for ICTSPs.
Designation
Annually, an identification process held by the ESAs will take place, whereby ICTSPs will be assessed on whether or not they qualify as "critical".
The qualification criteria include:
- systemic impact;
- 'interconnectedness';
- critical nature of services;
- limited substitutability; and
- the number and type of financial entities served.
Once an ICTSP is designated as critical, they will be subject to the oversight of the ESAs.
It is to be noted that only ICT services captured by DORA will be taken into consideration. Interestingly, ICTSPs not initially designated as critical can request to be designated and assessed voluntarily.
Oversight Fees
Once designated as critical, ICTSPs become subject not only to regulatory scrutiny but also to financial obligations under the DORA oversight framework. To fund the costs of supervision, the Lead Overseer ("LO") are tasked to charge oversight fees to each Critical ICTSP.
These fees are calculated to fully cover the LO's expenditures related to oversight activities. To determine the appropriate amounts, the LO collects financial and operational data from the ICTSPs, estimates the annual oversight costs, and calculates and collects the fees accordingly.
ICTSPs are expected to be prepared to provide the necessary accounting and financial information to enable this calculation and must ensure they have sufficient resources available to meet these oversight costs.
In addition to oversight fees, the LO also holds the authority to impose periodic penalty payments in cases of non-compliance, as provided for under DORA.
Risk Assessment & Examinations
Each Critical ICTSP will be assigned an LO, one of the ESAs responsible for coordinating oversight contingent on which financial sector relies most heavily on that provider. Together with the Joint Examination Teams ("JETs"), and alongside the Oversight Forum and the Joint Oversight Network, the LO prepares an Annual Oversight Plan. This plan outlines the specific supervisory activities, such as examinations, investigations, and inspections, that will be conducted for each critical ICTSP during the year.
The Oversight Forum plays a key role in steering oversight activities and ensuring consistency across sectors, serving as the body where significant findings and strategic directions are discussed and endorsed. Meanwhile, the Joint Oversight Network supports operational coordination among overseers, facilitating information-sharing and aligning the execution of oversight tasks.
Oversight is then carried out by JETs, comprised of staff from the ESAs and national competent authorities. These entities will work in tandem to monitor risks, investigations and carry out on-site inspections if necessary, always applying a risk-based and dynamic approach based on each critical ICTSP's risk profile.
self
In addition to the aforementioned actions, LOs can issue 'Requests for Information', which may be informal ("Request for Information by simple request") or otherwise take the form of a legally binding decision carrying potential penalties if such requests are not complied with ("Request for Information by decision").
Recommendations
The significant feature of the oversight framework is the ability of the ESAs to issue recommendations directly to ICTSPs in response to identified shortcomings.
Such ICTSPs must either commit to implementing them through remediation plans or explain why they are not following them. In cases of persistent non-compliance, the ESAs have the power to escalate matters, which could ultimately result in financial entities being required to terminate relationships with 'problematic' ICTSPs.
--
The ESAs encourage financial entities, ICT providers, and other stakeholders to familiarise themselves with both the guide and the underlying legal texts to prepare for the oversight regime.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
