DORA’s CTPP Oversight Regime: From Designation to Litigation

The Digital Operational Resilience Act (Regulation (EU) 2022/2554, DORA) entered into force on 17 January 2025. Alongside its well-documented obligations for regulated financial entities, DORA establishes a pan-European oversight regime for Critical ICT Third-Party Service Providers (CTPPs)—companies whose operational failures could send shockwaves through the EU financial system.

CTPP designation brings with it a comprehensive supervisory regime, significant compliance obligations, and the potential for litigation. This post looks at where that litigation is likely to come from and what form it is likely to take.

Compliance, enforcement and litigation

The supervisory toolkit and what it means in practice

Once designated, CTPPs are subject to an extensive supervisory toolkit. It is worth pausing on what this means in practice, because each instrument carries its own litigation risk.

The supervisory toolkit operates on an escalating scale of intrusiveness. At one end sit general investigations into particular risk areas; at the other, full on-site inspections, where the European Supervisory Authority  (ESA), designated as the Lead Overseer, may access records, take copies of materials, conduct interviews and enter and seal business premises. Cutting across all stages, the ESAs may issue requests for information by decision—binding instruments that carry penalties for non-compliance. Where deficiencies are identified, the ESAs may issue recommendations and require CTPPs to report on the actions taken and remedies implemented. Failure to comply can ultimately result in periodic penalty payments of up to 1% of average daily worldwide turnover, running for up to six months.

Grounds of challenge

Each of these actions by the ESAs is a potential source of litigation, and there will be several potential grounds of challenge. 

Challenges to investigation and inspection decisions may allege inadequate reasoning of the subject matter, an insufficient evidential basis to launch the measure, or, particularly in the context of interviews, an infringement of the right against self-incrimination. Requests for information (provided they constitute formal decisions) may similarly be challenged on the basis that their stated purpose is inadequately reasoned, or that the scope of information demanded is disproportionate.

Recommendations give rise to their own set of arguments. A CTPP has 30 days to submit evidence of impacts on non-financial-entity customers and 60 days to notify its intention to follow the recommendation or to provide a reasoned explanation for non-compliance. The ESAs may publicly disclose non-compliance, a reputational sanction with real commercial consequences. Potential grounds of challenge include failure to respect the right to be heard or the disproportionate nature of the recommendation.

Where the ESAs escalate to periodic penalty payments, the litigation stakes rise further. CTPPs could contest the finding of non-compliance itself, challenge the calculation methodology, argue that relevant mitigating circumstances were insufficiently taken into account, or contend that the penalty exceeds the six-month statutory maximum.

Avenues for challenge

Challenges to ESA decisions follow a structured pathway. A CTPP wishing to contest a decision must first bring an appeal before the ESAs’ Joint Board of Appeal—an administrative review body common to EBA, EIOPA and ESMA. Only once that avenue has been exhausted can the matter be brought before the General Court of the European Union. A further appeal on points of law lies to the Court of Justice, but only if leave to appeal is granted. That sequential structure means that litigation in this space will often be prolonged, and the Joint Board of Appeal will be the critical first battleground for designated providers.

The designation rounds

Less than a year after DORA entered into force, the ESAs published their inaugural list of 19 designated CTPPs—a group spanning core infrastructure, cloud services, data and business services providers, each deemed to play a pivotal role within the EU financial ecosystem. Each now faces a comprehensive supervisory framework.

It is understood that a number of designated providers have already challenged their designation or are considering challenging other measures before the ESAs’ Joint Board of Appeal. The outcome of those challenges will determine the scope and limits of the regime going forward. 

The current list of 19 is only the beginning. CTPP designation is an annual process, and future rounds are likely to capture new providers. 

Concluding thoughts

DORA’s CTPP oversight regime is still in its infancy. The first designation decisions have been taken; the first challenges are understood to be underway. As the regime matures and the ESAs begin to exercise their supervisory powers over CTPPs in earnest, the full spectrum of potential litigation—from enforcement decisions to penalty payments—will come into sharper focus. 

Florence Danis is a Partner at Linklaters LLP. 

Guillaume Couneson is a Partner at Linklaters LLP. 

Maxime Liebaert is an Associate at Linklaters LLP.

Laura Savonet is a Managing Associate at Linklaters LLP.

Thomas Reyntjens is a Managing Associate at Linklaters LLP.