The European Supervisory Authorities (ESAs) have issued joint guidelines designed to improve coordination, oversight, and information sharing between EU supervisory bodies under the Digital Operational Resilience Act (DORA), which becomes fully applicable in January 2025.

The document sets out a detailed framework for how the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) will cooperate with national regulators.

The guidelines are issued under Article 16 of the founding regulations of the ESAs and Article 32(7) of DORA, which mandates the creation of common procedures for cooperation and information exchange between the ESAs and competent authorities.

According to the ESAs, the goal is to ensure a coordinated, efficient, and consistent supervisory approach across the European Union when overseeing critical ICT third-party service providers — companies such as major cloud, software, or cybersecurity vendors whose systems are essential to financial stability.

The ESAs said the guidelines seek to provide “a cohesive framework for information exchange and cooperation” between supervisory bodies and to avoid duplication of oversight work, while ensuring that both the ESAs and national authorities have a shared understanding of roles, responsibilities, and timelines.

Under the new framework, national competent authorities must notify the relevant ESA whether they comply or intend to comply with the guidelines within two months of their publication in all EU languages. Failure to do so will be treated as non-compliance. Notifications will be published on each ESA’s website.

The guidelines define communication procedures, reporting requirements, and oversight mechanisms to be used between the ESAs and competent authorities, including the establishment of secure electronic systems and single points of contact for data sharing. Communication is expected to take place primarily in English unless otherwise agreed.

A secure online platform will be used for exchanging confidential information and ensuring protection against unauthorised access. The ESAs also emphasise inclusivity and accessibility in communication, suggesting translation services and accessibility tools where needed.

The document outlines timelines for oversight actions, specifying that the Lead Overseer — the ESA appointed to supervise a particular critical ICT provider — can shorten or extend deadlines in consultation with national authorities when urgent action is required.

In case of disagreements between the ESAs and national regulators, the Oversight Forum will act as a mediator to reach a mutually acceptable solution.

The guidelines also set out procedures for designating critical ICT third-party providers, ensuring that information such as company details, registration codes, and oversight start dates are shared promptly between the ESAs and national authorities.

Once an ICT provider is designated as critical, the Lead Overseer must develop annual and multi-annual oversight plans and share them with national authorities within 10 working days of adoption.

The ESAs also require timely information sharing on incidents that affect financial entities, changes in a provider’s management structure, and other risk events that could disrupt ICT services.

The framework introduces clear rules for follow-up of oversight recommendations, specifying responsibilities for national regulators and the ESAs. The Lead Overseer remains the main contact point for critical ICT service providers, while national authorities oversee financial entities’ compliance with recommendations.

Where a critical ICT provider fails to comply with oversight recommendations, the Lead Overseer may impose penalties or recommend the temporary suspension or termination of services.

The ESAs stated that these measures are intended to promote “efficient, risk-based supervision and the consistent application of DORA across all member states”.

The guidelines will take effect on January 17, 2025, and will be subject to regular review to ensure their continued relevance and alignment with evolving digital and operational resilience challenges in the financial sector.