bugzero background
Key Takeaways From the ESAs Report on Critical TPP Criteria

Key Takeaways From the ESAs Report on Critical TPP Criteria

Miles Lancaster

Miles Lancaster

Architecture, Security, and Compliance

Nikhil Shah

Nikhil Shah

Director at Fieldfisher LLP

The European Union's Digital Operational Resilience Act (DORA) is soon to come into force, marking a pivotal shift in how Information and Communication Technology (ICT) Third-Party Service Providers (TPPs) supplying ICT services into the financial services sector will need to operate. Whilst for most ICT TPPs DORA will only apply indirectly (i.e. by virtue of the obligations which their customers will be required to flow down to them), a sub-group of "Critical Third-Party Service Providers" (CTPPs) will be directly regulated under DORA for the first time.

Although the specific list of CTPPs is still being developed, a report published by the European Supervisory Authorities (ESAs) in September last year sheds some crucial light on how they will apply the criteria set out in DORA to determine which entities are critical. The below insights into the ESA report are tailored to help you assess whether you will be considered a CTPP in order to start planning accordingly.

Whether you're a large enterprise or a smaller organization assessing the value of a compliance program, our expertise is designed to safeguard your operations against significant financial repercussions. Let's dive into how this affects you and the key takeaways from the report.

ESA Report Takeaways

The ESA report provides clarity on how the criteria set out in Article 31 of DORA will be applied in practice to identify which TPPs are deemed critical. We’ve summarized some of the more straightforward takeaways below, but our strong recommendation is that you read the report itself. There are details within that which will help you determine whether or not you need to take action.

Below is a table from the ESA report that highlights the process for determining whether or not an organization is deemed critical.

Via the ESA Report

Our team has translated some of the key indicators for determining if this will impact your organization:

Indicator 1.1 - If a Third-Party Provider services Critical & Important functions for more than 10% of the total number of Financial Entities.

Indicator 1.2 - If a Third-Party Provider services Critical & Important functions for more than 10% of Financial Entities based on their total assets. 

Indicator 4.1 - If a Third-Party Provider has a unique service supporting Critical & Important functions that 10% or more Financial Entities claim there is no alternative provider available. 

Indicator 4.2 - If a Third-Party Provider services Critical & Important functions for more than 10% of Financial Entities who claim that the TPPs service is highly complex or difficult to migrate/reintegrate. 

However, identifying as a CTPP is the beginning of this process. To understand how to act, you must understand the DORA regulations. The first step is figuring out whether you are likely to be a CTPP. If you are, the second step you must follow is to map the requirements under DORA against your existing policies and processes to ascertain the level of lift. The likelihood is that even the most sophisticated IT suppliers in the world will need to alter processes to meet the new requirements.

Uncertainty is no grounds for complacency, and organizations can’t afford to wait. A proactive risk assessment of your third-party software means you can minimize your accepted risk. 

Evaluate your position in the criticality spectrum now, not later. Delaying until July 2024 could mean scrambling for compliance at the last minute – a situation that leads to risks and potential oversights.

Not Sure Where to Begin?

If your organization falls into the critical category, or if you’re uncertain if you do, you must dig deeper. You don’t want July 2024 to come without being prepared. Reviewing the ESA report is the first step, but it’s not the last.

For guidance and action plans on improving your operational resilience, BugZero is here to provide the tools necessary to comply and thrive. Learn more about the BugZero approach to ensure your organization is compliant and future-ready. 

For more information on navigating your obligations under DORA and how this will impact your contracting and procurement strategy in the financial services sector, Nikhil Shah at Fieldfisher will be delighted to help.


Do you know how much operational outages are costing you?

Understand the cost to your business and how BugZero can help you reduce those costs.

Sign up for our monthly Zero Defect Digest