ESAs designate critical ICT third-party providers under DORA

ESAs designate critical ICT third-party providers under DORA

On 18 November 2025, the European Supervisory Authorities (EBA, EIOPA, ESMA) announced a major milestone in the rollout of the Digital Operational Resilience Act (DORA): the official designation of the first Critical ICT Third-Party Providers (CTPPs) in the European Union.

This marks the start of direct EU-level oversight for key technology suppliers that underpin the operational resilience of the European financial sector. For banks, insurers, investment firms, and other regulated entities, this announcement reshapes how ICT outsourcing must be managed in 2025 and beyond.

Why the CTPP Designation Matters

DORA creates a pan-European ICT-risk and resilience framework that applies to more than 20 categories of financial entities. A central pillar of this regulation is the identification of ICT providers whose failure could affect the stability of the entire EU financial ecosystem.

By designating CTPPs, the ESAs:

  • Identify ICT providers that support critical or important functions across the EU
  • Assess systemic concentration risks in ICT outsourcing
  • Bring these providers under direct ESA oversight, beyond national authorities
  • Enhance transparency and accountability across financial value chains

This shifts the focus from individual financial institutions to the structural dependencies that the sector has on a small number of cloud, data, telecom, and infrastructure providers.

How the ESAs Selected Critical ICT Providers

The designation process is based on the methodology defined in Articles 31–33 DORA:

1. Register Data Collection

Financial institutions submitted detailed outsourcing information into the DORA Register of Information.
The ESAs aggregated the data EU-wide.

2. Criticality Assessment

The ESAs and national competent authorities evaluated ICT providers using DORA’s multifactor criteria, including:

  • Systemic impact on the EU financial sector
  • Volume and scale of services used by regulated entities
  • Level of substitutability
  • Dependence of critical or important functions
  • Cross-jurisdictional interconnectedness

3. Right to Be Heard & Final Decision

Providers preliminarily assessed as critical were notified and allowed to respond.
After reviewing the responses, the ESAs issued the final designation decisions.

The Newly Designated CTPPs Under DORA

The ESAs published the alphabetical list of designated Critical ICT Third-Party Providers.
These providers supply essential ICT services—ranging from cloud and data hosting to market data and telecommunications—across the EU financial sector.

They will now enter a direct ESA oversight regime, including:

  • Oversight examinations
  • Mandatory information submissions
  • Resilience and stress-testing requirements
  • Targeted investigations into ICT governance and risk controls

This places DORA’s CTPP Oversight Framework on par with other EU supervisory mechanisms, such as the Single Supervisory Mechanism for significant banks.

What This Means for Financial Institutions

The designation of CTPPs has immediate regulatory implications for all financial entities operating in the EU:

1. Outsourcing to CTPPs Is Now High-Intensity Supervision

Contracts with CTPPs will face heightened scrutiny, especially regarding:

  • Exit strategies
  • Sub-outsourcing
  • Monitoring rights
  • Incident reporting obligations
  • Data access and audit rights

2. Register of Information Must Be Updated

Entities must ensure accurate and complete DORA outsourcing registers, including:

  • Risk assessments
  • Critical/important function mappings
  • Contractual DORA compliance checks

3. Supervisory Expectations Increase

DORA requires institutions to demonstrate:

  • Full understanding of reliance on CTPPs
  • Robust vendor-risk governance
  • Independent assurance over the provider’s controls
  • Alignment with Articles 28–30 DORA

4. Concentration Risk Becomes a Board-Level Issue

The designation highlights the sector’s reliance on a few global providers.
Boards must therefore:

  • Regularly assess ICT concentration risks
  • Review strategic outsourcing dependencies
  • Ensure resilience and exit options

What It Means for ICT Service Providers

Providers not included on the list are treated as non-critical ICT third-party providers, meaning:

  • They remain under national supervisory oversight, not ESA oversight
  • Their contractual obligations follow Art. 28–30 DORA
  • They benefit from lighter proportionality requirements
  • They can leverage their non-critical status competitively in the market

This distinction is relevant for ICT vendors with low market share, high substitutability, or a regional client base.

The Beginning of a New Oversight Era

The designation of CTPPs is one of the most consequential steps in operational-resilience regulation in the EU’s history. DORA fundamentally reshapes how financial institutions manage ICT dependencies—and how ICT providers must structure their governance, security, and resilience frameworks.

As the ESAs begin examination activities with these providers, financial institutions should expect:

  • more supervisory guidance,
  • more structured oversight,
  • and more rigorous implementation expectations.

DORA is no longer a preparation phase. The oversight era has officially started.

List of designated CTPPsHerunterladen

Soruce: https://www.eba.europa.eu/publications-and-media/press-releases/european-supervisory-authorities-designate-critical-ict-third-party-providers-under-digital

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert