Global Trustee and Fiduciary Services Bite-Sized Issue 3 2025

6 QUICK LINKS CRYPTOASSETS CSDR EMIR FINTECH FSB OPERATIONAL RESILIENCE SUSTAINABLE FINANCE/ESG T+1 ASIA PACIFIC EUROPE IRELAND LUXEMBOURG NORTH AMERICA UNITED KINGDOM Global Trustee and Fiduciary Services Bite-Sized | Issue 3 | 2025 • Regulated entities’ compliance with cybersecurity rules and regulations; and • Public issuer fraudulent disclosure relating to cybersecurity. Link to Announcement here ESAs Provide Roadmap Towards the Designation of CTPPs Under DORA On 18 February 2025, the European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) announced that they are advancing in the implementation of the pan-European oversight framework of critical ICT third-party service providers (CTPPs) with the objective to designate the CTPPs and to start the oversight engagement this year. CTPP designation and engagement To designate the CTPPs in 2025, the ESAs say they will perform the following steps: • Collection of the Registers of Information : Competent Authorities are required to submit to the ESAs, by 30 April 2025, the Registers of Information on ICT third-party arrangements they received from financial entities. • Criticality assessments : The ESAs will perform the criticality assessments mandated by DORA and notify ICT third-party service providers of their classification as critical by July 2025. This notification will start a six-week period during which ICT third-party service providers may object to the assessment with a reasoned statement and relevant supporting information. • Final Designation : After the six-week period, the ESAs will designate CTPPs and start oversight engagement with them. The ESAs say that ICT third-party service providers not designated as critical may voluntarily request to be designated as critical once the list of CTPPs is published. Details on how to request this will be provided soon. To provide clarity to the market on preparatory activities, the designation process and on the ESAs’ oversight approach, the ESAs plan to organise an online workshop with ICT third-party providers in the second quarter of 2025. Further details on the exact date will be published in due course. Link to Announcement here RTS on Conduct of Oversight Activities published in Official Journal On 13 February 2025, delegated regulation (EU) 2025/295 on regulatory technical standards (RTS) on the oversight of critical ICT third-party service providers to the financial sector under DORA was published in the Official Journal of the EU. The RTS outlines the information these providers need to submit when voluntarily applying for designation as “critical,” emphasising the need for detailed and complete applications for proper assessment. The RTS details the information critical ICT third-party service providers must provide to the Lead Overseer upon request. This includes information about their organisational structure, market share, governance arrangements, security measures, data protection practices, incident management frameworks, subcontracting arrangements, and compliance reports. A key aspect of the RTS is the requirement for critical ICT third-party service providers to submit a remediation plan detailing how they will address recommendations and mitigate risks identified by the Lead Overseer. This includes providing interim progress reports and final reports on the implementation of these actions and remedies. The RTS also establishes a template for sharing information on subcontracting arrangements, recognising the complex structure of ICT service provision. It mandates competent authorities to assess the impact of the measures taken by critical ICT third-party service providers based on the Lead Overseer’s recommendations, ensuring the financial entities they supervise are adequately protected. This involves evaluating the adequacy of corrective actions, considering the LeadOverseer’s assessment, and sharing relevant findings with the LeadOverseer to inform their evaluation.