ESAs publish Report on the landscape of ICT third-party providers in the EU

The ESAs have released a report on ICT TPPs in the EU as part of their preparations for DORA. This report aims to understand the landscape of ICT services provided by TPPs to financial entities in the EU. It also supports the ESAs‘ policy-making process in response to the EC’s request to define criteria for critical ICT TPPs and determine oversight fees.
The report is based on a data collection exercise that covered ICT-related contractual agreements across the financial sector. This exercise identified approximately 15,000 ICT TPPs directly serving financial entities in the EU. Many of these TPPs provide critical or important services across various functions for financial institutions. Most critically assessed services were considered non-substitutable by financial institutions.
The data collection exercise has provided valuable insights for implementing DORA, emphasizing the importance of unique identifiers and the need for an appropriate taxonomy for ICT services.
This analysis was carried out with the support of CAs across the EU financial sector, but its statistical representativeness is unknown. DORA will come into effect in January 2025 and aims to create a comprehensive framework for managing ICT third-party risk, including the oversight of critical ICT TPPs. The findings of the report will feed into the ongoing work of the ESAs in relation to DORA’s policy mandates.