If your financial institution relies on cloud platforms, data centers, or specialist tech vendors, you need to understand this. The EU’s Digital Operational Resilience Act (DORA) introduces a concept that changes the regulatory landscape for technology providers: the designation of “critical ICT third-party service providers” (CTPPs).
In plain terms, a CTPP is an information and communications technology (ICT) vendor deemed so important to the stability of the EU financial system that regulators now supervise it directly. Not indirectly through its bank clients. Directly. That is a significant shift, and it matters whether you sit on the financial institution side or the vendor side of that relationship.
Let me walk you through exactly who qualifies, how the designation works, and what it means in practice.
What DORA Says About ICT Third-Party Providers
DORA applies to a broad range of financial entities, from banks and insurers to investment firms and crypto-asset service providers. Under the regulation, any company outside a financial entity’s own group that provides ICT services, such as cloud computing, software, data analytics, or network infrastructure, is an ICT third-party service provider (ICT TPP).
Not all ICT TPPs are created equal under DORA. The regulation draws a clear line between ordinary vendors and those that are “critical.” Only the latter category falls under the EU-level oversight framework described in Articles 31 to 44 of Regulation (EU) 2022/2554.
The oversight authority sits with the three European Supervisory Authorities (ESAs): the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA). They jointly designate CTPPs, and each CTPP is assigned a Lead Overseer from one of the three bodies.
The Four Core Criteria for “Critical” Status
Article 31(2) of DORA sets out four criteria the ESAs evaluate when deciding whether an ICT provider deserves the critical label. A provider must satisfy all four, not just one. Here they are in plain language:
1. Systemic impact of potential failure. If the provider suffered a large-scale operational disruption, would it destabilize the financial sector? Regulators look at how many financial entities would be affected, and how severely.
2. Systemic importance of dependent financial entities. Who is using this provider? If the provider’s customers include Global Systemically Important Institutions (G-SIIs) or Other Systemically Important Institutions (O-SIIs), the concentration of risk is higher, and the criticality threshold is lower.
3. Reliance on the provider for critical or important functions. Financial entities must classify their own functions as “critical or important” under DORA. If a large portion of those high-stakes functions depend on a single provider, that concentration matters.
4. Substitutability. Could financial entities realistically switch to another provider within a reasonable timeframe? If migration were highly complex or practically impossible for a significant share of customers, the provider would be harder to replace and therefore more critical.
How the Two-Step Designation Process Works
The ESAs do not simply apply judgment. A Commission Delegated Regulation from February 2024 specifies a structured two-step methodology.
Step 1: Quantitative screening. The ESAs collect data from the Registers of Information that financial entities are required to maintain and submit. They screen providers against numeric thresholds. For example, the quantitative criteria are met where the provider serves at least 10% of financial entities in a given category and, for at least 10% of those customers, migration to an alternative provider would be highly difficult.
Step 2: Qualitative assessment. If a provider clears the quantitative thresholds, regulators conduct a deeper review. This covers the intensity of service disruption, the technical complexity of integration into financial entities’ systems, the provider’s cross-border footprint across EU member states, and modeled disruption scenarios.
A provider must clear both steps to receive a designation. If the service provider is part of a group, the assessment considers the ICT services provided by the group as a whole.
Once designated, the provider is formally notified and has a six-week window to submit a reasoned objection. After that period, the ESAs issue the final designation.
Who Is Exempt?
Not every large tech company serving financial firms can be designated. Certain categories are exempt from designation: financial entities that provide ICT services to other financial entities, purely intra-group or domestic providers, and service providers already subject to oversight under Article 127 of the Treaty on the Functioning of the European Union (TFEU), such as certain payment systems.
This keeps the framework focused on genuinely cross-sector, external technology dependencies rather than capturing internal IT teams or entities already under equivalent supervision.
The First 19 CTPPs: Who Made the List?
On November 18, 2025, the ESAs published the first official list of designated CTPPs under Article 31(9) of DORA. The list comprises 19 companies that deliver a wide range of ICT services, from core infrastructure to business and data services, to financial entities of all types and sizes across the EU.
In alphabetical order, the 19 designated CTPPs are:
| Provider | Primary Service Category |
|---|---|
| Accenture plc | Managed IT services |
| Amazon Web Services EMEA Sarl | Cloud computing |
| Bloomberg L.P. | Financial data and analytics |
| Capgemini SE | IT consulting and managed services |
| Colt Technology Services | Network and connectivity |
| Deutsche Telekom AG | Telecommunications |
| Equinix (EMEA) B.V. | Data centers and colocation |
| Fidelity National Information Services, Inc. (FIS) | Financial technology |
| Google Cloud EMEA Limited | Cloud computing |
| International Business Machines Corporation (IBM) | IT infrastructure and services |
| InterXion HeadQuarters B.V. | Data centers and colocation |
| Kyndryl Inc. | IT infrastructure services |
| LSEG Data and Risk Limited | Financial data and analytics |
| Microsoft Ireland Operations Limited | Cloud computing and software |
| NTT DATA Inc. | IT services |
| Oracle Nederland B.V. | Cloud and database services |
| Orange SA | Telecommunications |
| SAP SE | Enterprise software and cloud |
| Tata Consultancy Services Limited | IT services and consulting |
Among the critical providers are primarily large cloud and platform service providers such as AWS, Google Cloud, Deutsche Telekom, and Microsoft, as well as Oracle and SAP. The list also notably captures data center operators, telecom providers, and specialist financial technology firms, reflecting the full stack of dependencies that modern financial institutions carry.
What Designation Means for CTPPs
Being named a CTPP is not a badge of honor. It comes with substantial new obligations and direct regulatory scrutiny.
Each CTPP must designate a legal entity, ideally an EU subsidiary with sufficient resources, as a coordination point with the relevant ESA, and it must also pay annual oversight fees to the relevant ESA.
The ESAs, working through Joint Examination Teams (JETs) composed of staff from across the supervisory authorities, will assess each CTPP’s risk management and governance frameworks. This includes reviewing incident reporting procedures, subcontracting arrangements, cybersecurity controls, and overall digital resilience practices.
The ESAs have the power to request information, carry out ongoing monitoring, conduct investigations and inspections, and recommend cybersecurity measures directly to CTPPs. If a CTPP does not comply with recommendations, the ESA can make the non-compliance public. As a last resort, regulators can compel financial entities to suspend or terminate their use of a CTPP’s services.
For non-EU providers, the stakes are even higher. Those CTPPs that are not based in the EU are required to establish a presence in the EU within 12 months of the designation, and financial entities may be unable to use the services of such CTPPs if they have not complied with this requirement.
Non-compliance exposes CTPPs to periodic penalty payments of up to 1% of average daily worldwide turnover, applicable for each day of breach under Article 35(6) of DORA.
What This Means for Financial Entities
Here is where things get a little nuanced. If one of your ICT vendors is now a CTPP, that is good news in one sense: the ESAs are watching them. But it does not reduce your own responsibilities one bit.
Whilst designated third-party providers now face direct regulatory scrutiny, financial institutions cannot treat this as a substitute for their own due diligence and risk management obligations. Firms remain fully accountable for ensuring their outsourcing arrangements meet DORA’s standards, regardless of whether their vendor is now supervised by the ESAs.
In practice, that means you still need robust contractual protections, your own risk assessments, and tested exit plans. Exit plans for all 19 CTPPs must be documented and tested at least annually.
There is also a risk of commercial friction. Some CTPPs may push back on customer-imposed audit rights, arguing that ESA oversight already covers the ground. Do not accept that framing. Your DORA obligations are independent of the ESA oversight framework.
The List Will Evolve
The November 2025 list is not permanent. The list of critical ICT third-party providers will be updated and published by the ESAs on an annual basis. Providers not designated now could appear on future lists if their customer base grows or their market concentration increases. Conversely, current CTPPs could be removed if their circumstances change.
ICT providers not currently on the list can also voluntarily request designation once the list is published.
What You Should Do Now
Whether you are a financial institution or an ICT vendor, the steps forward are clear.
For financial entities: cross-check your Register of Information against the 19 designated CTPPs. For every match, verify that contracts meet DORA’s requirements, update your risk register, and confirm that your incident response procedures account for provider-level disruptions. Report CTPP relationships to your management body as part of the ICT risk report required under Article 5(4) of DORA.
For ICT vendors: if you are on the list, engage your Lead Overseer and establish your EU coordination entity without delay. If you are not on the list, do not assume you are off the hook. Financial entities will still impose DORA-standard contractual requirements on every vendor supporting a critical or important function.
DORA’s CTPP framework is one of the most consequential elements of EU financial regulation in years. It brings technology vendors inside the regulatory perimeter in a way that simply did not exist before. Understanding exactly who qualifies, how they are assessed, and what obligations follow is not optional reading. It is the foundation of a credible digital resilience strategy.
