DORA Now Fully in Effect: Financial Entities and Their Service Providers Reach Critical Milestone

The Subcontracting RTS establish detailed requirements on the use of subcontractors in the performance of ICT services supporting a financial entity’s critical or important functions. New and existing agreements should include these requirements for ICT Providers. Financial entities and ICT Providers that undertook a contract remediation exercise to meet the DORA compliance deadline may now need to revisit the subcontracting sections in such contracts to the extent the provisions reflect the rejected draft Subcontracting RTS, or where the subcontracting requirements were not addressed given the Subcontracting RTS were not yet in force.

European Supervisory Authorities (ESAs) Prepare to Oversee Critical ICT Providers (CTPPs)
With the deadline under DORA to submit financial entities’ completed registers of information to the competent authorities (i.e., national EU financial services regulators) to the ESAs having passed at the end of April 2025, the ESAs are currently working on designating CTPPs and establishing and conducting oversight of such CTPPs.

On July 15, 2025, the ESAs published their “Guide on the Oversight of Critical Third-Party Providers,” providing a structured framework for the supervisory oversight of CTPPs designated under Article 31 of DORA (CTPP Oversight Guide). The CTPP Oversight Guide sets out the practical approach to be followed by the Lead Overseer, including the planning and execution of oversight activities under Articles 35–38 of DORA.

The CTPP Oversight Guide applies to ICT Providers designated as CTPPs by the ESAs based on systemic importance, market concentration and substitutability criteria and financial entities that depend on such CTPPs, including banks, insurers, asset managers and crypto-asset service providers. The CTPP Oversight Guide details how ESAs will:

• plan annual oversight programs for each CTPP, based on risk prioritization and sectoral exposure;
• conduct thematic and entity-specific reviews, including on-site inspections, off-site data collection and interviews;
• issue recommendations and compliance orders, enforceable under DORA; and
• coordinate with competent authorities to avoid duplication and ensure proportionality.

The CTPP Oversight Guide also emphasizes the role of the Oversight Forum, an advisory body that assists in prioritizing and aligning ESA-level supervisory actions.

European Banking Authority (EBA) Launches Public Consultation on Draft Guidelines
The EBA has launched a consultation to revise its guidelines in line with DORA. On July 8, 2025, the EBA published draft guidelines for the management of risks arising from third-party arrangements that are not ICT-related, with a particular focus on the provision of critical or important functions (Draft EBA Guidelines). The Draft EBA Guidelines revise and update the previous Guidelines on Outsourcing (published in 2019).

The objective of the Draft EBA Guidelines is to close the regulatory gap between DORA’s ICT-specific requirements and the governance of other critical or important third-party services, such as facility management, HR support or physical security, by suggesting a general approach to third-party risk. Whilst ICT-related third-party agreements are excluded from the Draft EBA Guidelines as they are subject to DORA, the Draft EBA Guidelines specify the steps to be taken by financial entities in scope for the life cycle of third-party arrangements in general, such as risk assessments, due diligence, the contractual phase, subcontracting, monitoring, exit strategies and termination processes. The Draft EBA Guidelines propose changes to ensure consistency with the requirements of the DORA framework, such as registers of information.

The Draft EBA Guidelines do not apply to all EU financial entities—they only apply to credit institutions, investment firms, payment institutions and electronic money institutions. Financial entities within scope will have a transition period of two years to review and amend their existing third-party arrangements and to update the register for non-ICT third-party arrangements.

The EBA’s consultation is open until October 8, 2025.

Looking Forward – Impact and Action
With DORA now fully applicable, supervisory engagement is intensifying. The recent developments underscore the ESAs’ intention to move to active oversight and to extend operational resilience principles across all layers of critical service delivery. The next major DORA milestone will be the designation of the first set of CTPPs, with the ESAs expected to perform criticality assessments by the end of July 2025 and notify ICT Providers of their designation as critical. Following that, the designated ICT Providers may object to the assessment with a reasoned statement and supporting information (by the first half of September 2025). Final CTPP designations and the commencement of the ESAs’ oversight activities are expected to take place by the end of 2025.

Financial entities and their third-party service providers (whether ICT Providers or otherwise) should now consider the following actions:

• Review existing third-party risk management under the new and proposed general approach to ensure internal controls and governance models are aligned.
• Understand the scope of new and proposed requirements and assess potential gaps.
• Continue to assess the required contract remediation and life cycle management under the finalized requirements of DORA, such as subcontracting.
• Engage in the EBA’s consultation with feedback on concerns with the proposed Draft EBA Guidelines.