Data IntelligenceAI ControlRAG SystemsVoice AIDORA LibraryBlogAboutPricingSchedule Review
← Back to DORA Library
EUIn ForceFinal

RTS Oversight Harmonisation – (EU) 2025/295

Commission Delegated Regulation (EU) 2025/295 of 24 October 2024 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards on harmonisation of conditions enabling the conduct of the oversight activities

European Commission
Updated Feb 13, 2025
vFinal

Abstract

Regulatory Technical Standards under DORA that harmonise the conditions for conducting oversight of critical ICT third-party service providers. The Regulation specifies information required for voluntary applications to be designated critical, defines the content and format of information that critical ICT third-party providers must supply to the Lead Overseer (including governance, security, risk and incident management, data centre locations, subcontracting value chains and audit evidence), sets expectations for remediation planning and progress/final reporting after oversight recommendations, provides a template for reporting subcontracting arrangements, and establishes cooperation/information-sharing mechanics between the Lead Overseer and competent authorities assessing residual exposure of supervised financial entities.

Key Takeaways

  • Sets detailed information requirements for ICT third-party service providers submitting a voluntary request to be designated as critical under DORA, and allows rejection of incomplete applications.
  • Clarifies the types of information and documents that critical ICT third-party providers must provide to the Lead Overseer to support oversight activities (contracts, governance, security controls, locations, incident/risk frameworks, audits and resilience testing evidence).
  • Requires remediation planning aligned to the Lead Overseer’s timelines after recommendations, and enables the Lead Overseer to request interim progress reports and final implementation reports with supporting evidence.
  • Introduces an annexed template to standardise sharing of subcontracting arrangements (mapping, services, access to sensitive data/systems, locations, governance, risk controls, continuity, audits/certifications).
  • Defines how competent authorities assess impacts on financial entities from measures taken by critical ICT third-party providers and how results may be shared with the Lead Overseer proportionately, especially for severe cross-border risks.

Keywords

Commission Delegated Regulation (EU) 2025/295Regulation (EU) 2022/2554DORAArticle 31(11)Article 35Article 41(2)Article 42critical ICT third-party service providersLead Overseersubcontracting templateremediation planinterim progress reportfinal report

Need DORA-Aligned AI Architecture?

We build AI systems that satisfy DORA requirements from day one. Audit trails, governance, exit readiness - built in, not bolted on.

Schedule Architecture Reviewviktor@intellectumlab.com | Response within 24 hours