EU to Pinpoint Fewer Than 30 Tech Vendors as Critical Under DORA

European regulators are preparing to designate fewer than 30 technology firms as “critical” third-party providers under the upcoming Digital Operational Resilience Act (DORA). The initiative, based on guidance from an Irish regulator, aims to narrow the focus to the largest European vendors, tightening oversight of the financial sector’s tech supply chain and resilience.

Key Takeaways

• Fewer than 30 tech providers will be labeled as critical vendors under DORA.
• Initial designations likely to include the largest European technology firms.
• Critical vendor status triggers stricter reporting, testing, and oversight.
• Aims to strengthen operational resilience and reduce systemic risk in financial services.
• Supervisors will adopt a narrow, risk-based approach to third-party oversight.

Background On DORA

The Digital Operational Resilience Act (DORA) is the first EU-wide framework dedicated to ensuring the operational resilience of financial institutions against ICT-related disruptions. Slated to enter into force in January 2025, DORA introduces uniform requirements for risk management, incident reporting, digital testing, and third-party oversight.

Criteria For Critical Vendor Designation

Regulators will assess potential critical vendors based on factors such as:

• Market Share and Concentration Risk: High-impact services used by multiple financial entities.
• Cross-Border Presence: Providers operating in multiple EU member states.
• Systemic Importance: Services vital to the continuity of financial market operations.
• Nature of Services: Core ICT functions like cloud computing, data analytics, and outsourcing.
• Existing Risk Profile: Historical performance in resilience testing and incident management.

Implications For Designated Firms

Tech firms labeled as critical vendors will face enhanced regulatory obligations, including:

1. Regular reporting of ICT risk metrics and incident notifications.
2. Mandatory third-party testing and resilience assessments.
3. Closer supervision by national and EU authorities.
4. Potential sanctions or restrictions for non-compliance.

These measures are designed to mitigate systemic vulnerability arising from concentrated reliance on a small number of external providers.

Implementation Timeline And Next Steps

• Mid-2024: Finalization of critical vendor list by European Supervisory Authorities.
• Late 2024: Publication of targeted guidelines and supervisory expectations.
• January 2025: DORA enters into force, with phased compliance deadlines thereafter.
• Ongoing: Continuous review of vendor classifications and resilience testing outcomes.

Financial institutions and tech providers should prepare by mapping their third-party relationships, enhancing resilience frameworks, and engaging with regulators during the guideline drafting process.

Sources

• EU tipped to tag less than 30 tech firms as critical for Dora, Risk.net.