European Union: European Supervisory Authorities adopted guide on oversight activities under the Digital Operational Resilience Act

On 15 July 2025, the European Supervisory Authorities, comprising of European Banking Authority, European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority, published the guide on oversight activities under the Digital Operational Resilience Act (DORA). The guide outlines how the authorities will oversee critical third-party providers (CTPPs) of internet and communications technology (ICT) sector supporting the European Union's financial entities. The framework applies only to ICT providers formally designated as critical, based on criteria including systemic impact and substitutability, and establishes annual designation, risk assessment, and oversight planning cycles. Lead Overseers (the ESAs) will conduct ongoing monitoring, investigations, inspections, and issue recommendations through Joint Examination Teams, supported by the Oversight Forum, Joint Oversight Network, and Joint Oversight Venture to ensure coordinated, proportionate, and transparent oversight. The guide clarifies cooperation between ESAs and national competent authorities, which benefit from shared findings for their supervision of financial entities’ ICT and third-party risks.