The European Supervisory Authorities, also known as ESAs, have recently released a fundamental guideline for the implementation of the Digital Operational Resilience Act, better known as DORA. This regulatory act aims to enhance digital operational resilience in the European financial sector, and one of its most innovative and complex aspects concerns the direct oversight system over critical ICT service providers.

This is not simply a supporting document, but rather a genuine operational manual aimed at translating the theoretical provisions of DORA into practical applications. A significant novelty is that for the first time, European financial supervisory authorities are empowered to directly supervise ICT service providers deemed essential for the stability of the financial system. This includes, among others, large cloud service providers that support multiple financial institutions.

The guideline offers a clear definition of the criteria that will enable the identification of these “critical” providers. It outlines the process through which the ESAs will conduct investigations and inspections, including on-site checks, and presents a cooperation framework in which a “Lead Overseer” will be responsible for coordinating oversight activities for each designated provider.

For financial institutions, this document represents a significant step forward, as it provides greater certainty regarding the monitoring of strategic technology partners. In a context where third-party risk management is becoming increasingly crucial, this guideline offers added value by establishing more stringent control standards.

ICT service providers, for their part, will find in the document clauses concerning the expectations and obligations they must meet. These are requirements that will push these companies to raise their standards of resilience and transparency, going beyond what is normally required by contracts with their clients. The aim of this regulatory framework is to ensure that, despite the growing reliance of the financial sector on cloud solutions and other technological services, new systemic vulnerabilities are not created.

Essentially, the ESAs’ guideline represents a critical step towards making DORA fully operational. This will not only ensure a rigorous application of the rules throughout the European Union but will also contribute to greater stability and security in the financial system. The implementation of DORA marks a decisive turning point in the fight against the risks that can arise from an increasingly deep connectivity between technologies and financial services.

With the advent of this guideline, financial institutions and their providers are called to respond to new challenges and to engage in adjusting their operational practices. Direct oversight will not only be a matter of compliance but will represent an opportunity to improve the quality of the services provided, strengthening the trust of users and investors.

In this ever-evolving scenario, it is important for industry players to stay updated and informed. Therefore, we invite you to stay connected and discover more by following our social media profiles, where we will share further insights, news, and updates related to these important topics. The future of digital operational resilience has already begun, and together we can make a difference.