How the ESAs' Guide on Oversight Activities Changes DORA Enforcement
From Framework to Field Manual
For the first twelve months after DORA became applicable, the oversight framework existed primarily on paper. The regulation defined the Lead Overseer regime (Art. 31-44), the designation criteria for Critical Third-Party Providers (Art. 31(2)), and the oversight powers available to supervisors (Art. 35-36). But the practical mechanics — how examinations would be conducted, how information would be requested, how findings would be communicated, and how remediation would be enforced — remained undefined.
On July 15, 2025, the European Supervisory Authorities closed that gap. The published guide on DORA oversight activities is the operational manual for the entire oversight regime. It translates the regulation's legal framework into supervisory procedures, examination protocols, and coordination mechanisms. Combined with Delegated Regulation (EU) 2025/420 — which establishes the formal rules for Joint Examination Teams — and the Joint Committee's 2026 Work Programme, the guide marks DORA's transition from regulatory construction to operational enforcement.
The Oversight Architecture: Who Does What
DORA's oversight structure operates through three institutional layers, each with defined responsibilities:
| Layer | Entity | DORA basis | Primary function |
|---|---|---|---|
| Strategic | Joint Committee of ESAs | Art. 31 | CTPP designation, Lead Overseer assignment, policy coordination |
| Operational | Lead Overseer (EBA, ESMA, or EIOPA) | Art. 33 | Direct supervision of designated CTPPs, examination leadership |
| Tactical | Joint Examination Teams (JETs) | Art. 40 | On-site and off-site examinations, information gathering, finding production |
The guide clarifies the interaction between these layers in practice. The Joint Committee designates CTPPs and assigns Lead Overseers based on the financial sector most dependent on each provider. The Lead Overseer designs the oversight plan and convenes JETs for specific examination activities. JETs include staff from the Lead Overseer, the other two ESAs, and relevant national competent authorities — creating cross-jurisdictional examination teams with diverse supervisory perspectives.
Lead Overseer Assignment Logic
The guide details the criteria for assigning a Lead Overseer to each designated CTPP:
EBA takes the lead when the CTPP primarily serves banking and credit institutions. Given that the three hyperscale cloud providers (AWS, Azure, Google Cloud) serve the banking sector extensively, EBA is expected to lead oversight for several of the largest CTPPs.
ESMA leads when the CTPP's primary dependency is in capital markets — exchanges, trading venues, central counterparties, and investment firms. Financial data providers like Bloomberg fall in this category.
EIOPA leads when the CTPP primarily serves the insurance and pensions sector. While fewer CTPPs are expected under EIOPA's lead, the insurance sector's growing cloud dependency will increase this role over time.
The assignment is not exclusive — JETs include representatives from all three ESAs regardless of the Lead Overseer, ensuring cross-sectoral visibility.
The JET Framework: Delegated Regulation 2025/420
Delegated Regulation (EU) 2025/420 establishes the formal legal basis for JET operations. The regulation addresses:
Team composition. JETs must include staff from the Lead Overseer ESA, at least one other ESA, and relevant NCAs from member states where the CTPP provides services to financial entities. The composition ensures that the examination team understands the CTPP's impact across jurisdictions and sectors.
Examination scope. JET examinations can cover:
- Governance and risk management arrangements of the CTPP
- Physical security of data centers and processing facilities
- ICT risk management processes and controls
- Business continuity and disaster recovery capabilities
- Security testing results and vulnerability management
- Sub-outsourcing arrangements and supply chain risk management
- Incident management and notification processes
Information powers. The JET can request any information from the CTPP that is relevant to the examination scope. Art. 35(1) provides that the Lead Overseer may "request all relevant information and documentation." Refusal or obstruction triggers the penalty framework under Art. 35(8).
On-site inspection powers. Art. 36 empowers the Lead Overseer to conduct on-site inspections at any premises of the CTPP — including data centers, offices, and operational facilities. The guide specifies practical protocols for on-site inspections: notification timelines, access requirements, documentation seizure procedures, and confidentiality protections.
The Examination Process: From Scoping to Finding
The guide establishes a structured examination lifecycle:
Phase 1 — Scoping (4-6 weeks)
The Lead Overseer defines the examination scope based on:
- The CTPP's risk profile (size, complexity, market concentration)
- Financial entities' dependency on the CTPP's services
- Previous oversight activities and their findings
- Intelligence from NCAs, financial entities, and market surveillance
The scoping phase produces a formal examination mandate that defines objectives, timelines, team composition, and information requirements.
Phase 2 — Information Request (4-8 weeks)
The JET issues structured information requests to the CTPP. These may cover:
- Organizational and governance documentation
- ICT risk management frameworks and policies
- Business continuity and disaster recovery plans
- Incident logs and post-incident reviews
- Security testing results and remediation tracking
- Sub-outsourcing registers and due diligence records
- Service level agreements and performance metrics
The guide specifies response timelines and escalation procedures for incomplete or delayed responses.
Phase 3 — Analysis and On-Site Examination (6-12 weeks)
The JET analyzes submitted information and conducts on-site examinations where necessary. On-site activities may include:
- Technical infrastructure reviews
- Interviews with CTPP management and technical staff
- Process walkthroughs and control testing
- Physical security assessments of data center facilities
- Review of monitoring and alerting capabilities
Phase 4 — Findings and Recommendations (4-6 weeks)
The examination produces formal findings categorized by severity:
| Finding severity | Description | Expected response |
|---|---|---|
| Critical | Fundamental control failure posing imminent risk to financial stability | Immediate remediation required; potential for supervisory measures |
| Major | Significant control weakness that could materially affect service provision | Remediation plan within 30 days; implementation within 90 days |
| Important | Control weakness requiring attention but not posing immediate risk | Remediation plan within 60 days; implementation within 180 days |
| Observation | Area for improvement not constituting a formal finding | Acknowledged and tracked; addressed at CTPP's discretion |
Findings are communicated to the CTPP through a formal report. The CTPP may submit a response. Unresolved findings may escalate to the recommendation and penalty framework under Art. 35.
Phase 5 — Follow-Up
The guide establishes ongoing monitoring of remediation progress. The Lead Overseer tracks whether the CTPP implements remediation within agreed timelines and may conduct follow-up examinations to verify closure of findings.
What This Means for CTPPs
The 19 organizations designated as CTPPs in November 2025 face a new supervisory reality. For many — particularly the hyperscale cloud providers and major SaaS platforms — this is their first experience of direct financial regulatory supervision.
Governance requirements. CTPPs must maintain governance arrangements that satisfy the Lead Overseer's expectations. This includes designated points of contact for supervisory engagement, documented ICT risk management frameworks, and the ability to produce information in response to formal requests within specified timelines.
Inspection readiness. On-site inspections of data centers and operational facilities require preparation: access procedures for regulatory inspectors, documentation availability, interview-ready staff, and physical security arrangements that accommodate unannounced visits (Art. 36(2)).
EU subsidiary requirement. Non-EU CTPPs designated under Art. 31 must establish an EU subsidiary within 12 months of designation. This provision, aimed primarily at US-headquartered cloud providers, ensures that the Lead Overseer has a legal entity within EU jurisdiction to exercise its powers against.
Penalty exposure. Art. 35(8) provides for penalties of up to 1% of the CTPP's average daily worldwide turnover per day of non-compliance with a recommendation. For a hyperscale cloud provider with daily worldwide turnover exceeding EUR 500 million, this represents a daily penalty exposure exceeding EUR 5 million — a figure that commands attention even from the largest technology companies.
What This Means for Financial Entities
Financial entities are not directly subject to the JET examination process — that targets CTPPs. But the oversight regime has significant indirect implications:
Enhanced due diligence obligations. Art. 28(2) requires financial entities to assess whether their ICT third-party service providers maintain adequate risk management. The oversight guide's examination criteria provide a benchmark for what "adequate" means. Financial entities should align their third-party due diligence with the JET examination scope.
Information flow expectations. NCAs participating in JETs may request information from financial entities about their experience with designated CTPPs — service disruptions experienced, SLA performance, contractual concerns. Financial entities should maintain records that enable rapid response to such requests.
Contractual updates. The oversight guide's findings about CTPP practices may necessitate contractual updates between financial entities and their CTPPs. If a JET finding identifies a sub-outsourcing risk that the CTPP has not disclosed, financial entities may need to update their Art. 28(3) register and renegotiate contractual terms.
Concentration risk reassessment. The designation of 19 CTPPs, combined with the oversight guide's examination framework, provides new information relevant to Art. 29 concentration risk assessments. Financial entities should update their concentration analysis to reflect the oversight regime's implications.
The 2026 Work Programme: What Comes Next
The Joint Committee's 2026 Work Programme signals the oversight regime's priorities for its first full year of operation:
First-wave examinations. The ESAs intend to conduct initial examinations of designated CTPPs during 2026, beginning with those assessed as highest risk based on financial sector dependency and market concentration.
Oversight methodology refinement. The guide published in July 2025 will be supplemented with more detailed examination methodologies as the ESAs gain operational experience. Sector-specific examination protocols for cloud services, financial data, and telecommunications are expected.
Cross-border coordination. The 2026 Work Programme emphasizes coordination between ESAs and NCAs in the oversight process. This includes protocols for sharing examination findings, coordinating remediation expectations, and avoiding duplicative supervisory burden on CTPPs subject to oversight from multiple jurisdictions.
Convergence with NCA supervision. The programme addresses the interface between direct CTPP oversight (by the Lead Overseer) and indirect supervision of financial entities' third-party risk management (by NCAs). This coordination is critical to ensuring that oversight findings translate into improved risk management at the financial entity level.
The Enforcement Trajectory
The oversight guide, combined with the JET framework and the 2026 Work Programme, establishes a clear enforcement trajectory:
2025 (H2): Framework publication, designation of CTPPs, establishment of oversight teams, initial engagement with designated CTPPs.
2026 (H1): First-wave examinations begin, information requests issued, initial on-site inspections conducted for highest-priority CTPPs.
2026 (H2): First findings communicated, remediation timelines established, follow-up processes initiated. Potential for first recommendations under Art. 35 if critical findings are not addressed.
2027: Second-wave examinations, follow-up on first-wave findings, potential for first penalties under Art. 35(8) if recommendations are not implemented.
This trajectory is deliberate. The ESAs are building the examination capacity, establishing supervisory precedents, and accumulating evidence before exercising their most powerful enforcement tools. But the trajectory's direction is unmistakable: from observation to engagement to enforcement.
For both CTPPs and the financial entities that depend on them, the July 2025 guide is the signal that the operational phase of DORA's oversight regime has begun.
This analysis reflects the ESAs' guide on DORA oversight activities published on July 15, 2025, Delegated Regulation (EU) 2025/420 on Joint Examination Teams, and the Joint Committee's 2026 Work Programme.