On 18 February 2025, the European Supervisory Authorities (ESAs) issued a roadmap to the designation of critical ICT third-party service providers (CTPPs) under the Digital Operational Resilience Act (DORA).

To designate CTPPs this year, the ESAs will perform the following steps:

• Collection of the Registers of Information: Member State competent authorities are required to submit to the ESAs, by 30 April 2025, the Registers of Information on ICT third-party arrangements they received from financial entities.
• Criticality assessments: The ESAs will perform the criticality assessments mandated by DORA and notify ICT third-party service providers of their classification as critical by July 2025. This notification will start a six-week period during which ICT third-party service providers may object to the assessment with a reasoned statement and relevant supporting information.
• Final Designation: After the six-week period, the ESAs will designate CTPPs and start oversight engagement with them.