On 27 September 2023, the European Supervisory Authorities (ESAs) co-published a report on the landscape of information and communication technology (ICT) of third-party providers (TTP) in the EU.

The report sets out the results of a high-level analysis, carried out by the ESAs together with Member State competent authorities with the objective of getting a preliminary overview of the provision of ICT services to EU financial entities by ICT TTPs. The analysis was performed to inform preparations for the application of the Digital Operational Resilience Act (DORA).

The results of the analysis provide a first overview of ICT TPPs across the EU financial sector, including the services they provide to financial entities.

The results set out in the report highlight the following:

  • Overall, the exercise identified around 15,000 ICT TPPs directly serving financial sector entities across the EU.
  • The most frequently used ICT TPPs support critical or important functions for their clients in a wide range of services.
  • Most crucial services were classified as non-substitutable by financial institutions, which exacerbates the concerns over concentration risk in the sector.

The data collection exercise has also revealed some valuable lessons for the implementation of DORA. For instance, it has underlined the importance of ensuring that financial entities provide unique identifiers in the data submitted and the need to develop an appropriate ICT services taxonomy.

The results of the analysis continue to be considered in the preparation of the relevant DORA policy mandates, especially the register of information and the ESAs response to the European Commission call for advice to specify further the criteria referred to in Article 31(2) of DORA to be considered by the ESAs when assessing the critical nature of ICT third-party service providers.