ESAs set timeline for ICT provider data under DORA
The European Supervisory Authorities (EBA, EIOPA, and ESMA) have announced a 30 April 2025 deadline for national regulators to report details of financial entities’ contracts with ICT service providers.
This marks the first step in identifying critical ICT third-party providers (CTPPs) under the Digital Operational Resilience Act (DORA), which comes into effect on 17 January 2025.
The ESAs outlined the procedures for gathering and submitting this data, emphasising the need for quality assurance and early preparation. While the final technical standards are still pending, most of the requirements have been public since January 2024, giving financial entities a head start – at least in theory.
However, the ESAs have opted to let national competent authorities (NCAs) decide when to collect this data, as long as it meets the April deadline. If you can hear a faint collective sigh, that’s probably the NCAs gearing up for a logistical juggling act. The DORA data collection leverages the xBRL-CSV standard and we are aware of extensive testing. Are regulated entities and their service providers going to be ready?
Want the full details? Read the ESAs’ announcement here.
