If your financial institution depends on cloud infrastructure, data centres, or specialist technology vendors, there is a regulatory development you cannot afford to overlook.
According to Copla, the EU’s Digital Operational Resilience Act (DORA) has introduced a new and consequential concept: the designation of “critical ICT third-party service providers,” or CTPPs.
These are technology vendors considered so integral to the stability of the European financial system that regulators now supervise them directly — not through their financial institution clients as an intermediary, but as entities in their own right.
Under DORA, an ICT third-party service provider (ICT TPP) is any organisation outside a financial entity’s own corporate group that supplies ICT services, including cloud computing, software, data analytics, or network infrastructure. The regulation covers a sweeping range of financial entities, from banks and insurers to investment firms and crypto-asset service providers. However, not every ICT TPP carries the same regulatory weight. DORA draws a firm distinction between standard vendors and those considered “critical,” with the latter falling under an EU-level oversight framework set out in Articles 31 to 44 of Regulation (EU) 2022/2554.
Oversight responsibility sits with the three European Supervisory Authorities (ESAs) — the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA). Together, they designate CTPPs and assign each one a Lead Overseer drawn from one of the three bodies.
The four criteria for “critical” status
Article 31(2) of DORA specifies four criteria that the ESAs must evaluate before labelling a provider critical. A provider must satisfy all four. First, regulators assess the systemic impact of a potential failure — specifically, whether a large-scale operational disruption at that provider would destabilise the financial sector and how many entities would be affected. Second, they consider the systemic importance of the financial institutions relying on that provider; if clients include Global Systemically Important Institutions (G-SIIs) or Other Systemically Important Institutions (O-SIIs), the concentration of risk heightens the criticality threshold. Third, they examine how heavily those high-stakes functions depend on a single vendor. Fourth, and perhaps most practically significant, they weigh substitutability — that is, whether financial entities could realistically migrate to an alternative provider within a reasonable timeframe.
A two-step designation process
A Commission Delegated Regulation published in February 2024 established a structured methodology for making these assessments, replacing ad hoc regulatory judgement with a defined two-step process. In the first step, the ESAs conduct quantitative screening using data from the Registers of Information that financial entities are required to maintain and submit. Numeric thresholds apply; for instance, quantitative criteria are met where a provider serves at least 10% of financial entities in a given category and, for at least 10% of those customers, switching to an alternative would be highly complex. If a provider clears these thresholds, a deeper qualitative review follows, covering the intensity of potential service disruption, technical integration complexity, cross-border footprint across EU member states, and modelled disruption scenarios. Only providers that pass both stages receive a formal designation.
Once notified, a provider has a six-week window to submit a reasoned objection before the ESAs issue their final decision. Certain categories are exempt from the process entirely, including financial entities supplying ICT services to other financial entities, purely domestic or intra-group providers, and those already subject to oversight under Article 127 of the Treaty on the Functioning of the European Union (TFEU).
The first 19 designated CTPPs
On 18 November 2025, the ESAs published the inaugural official list of designated CTPPs under Article 31(9) of DORA. The 19 companies span a wide range of services, from core cloud infrastructure to financial data, enterprise software, telecoms, and managed IT. The full list comprises: Accenture, Amazon Web Services EMEA, Bloomberg, Capgemini, Colt Technology Services, Deutsche Telekom, Equinix (EMEA), Fidelity National Information Services (FIS), Google Cloud EMEA, IBM, InterXion HeadQuarters, Kyndryl, LSEG Data and Risk, Microsoft Ireland Operations, NTT DATA, Oracle Nederland, Orange, SAP, and Tata Consultancy Services.
The breadth of the list reflects the full technology stack that modern financial institutions rely upon, encompassing hyperscale cloud platforms, specialist financial data providers, colocation data centre operators, and large-scale IT services firms.
What designation means in practice
Being named a CTPP carries significant obligations. Each provider must designate a legal entity — preferably an EU subsidiary with adequate resources — as the coordination point for engagement with its assigned ESA, and must pay annual oversight fees. The ESAs will deploy Joint Examination Teams (JETs) composed of staff from across the supervisory authorities to assess risk management frameworks, incident reporting procedures, subcontracting arrangements, cybersecurity controls, and overall digital resilience practices.
Regulators can request information, conduct ongoing monitoring, carry out investigations and inspections, and issue direct cybersecurity recommendations. If a CTPP does not act on those recommendations, the relevant ESA can publicise its non-compliance. As a last resort, regulators may compel financial entities to suspend or terminate their use of a non-compliant CTPP’s services. Non-EU CTPPs face an additional requirement: they must establish a presence within the EU within 12 months of designation, failing which their financial entity clients may be barred from using their services. Persistent non-compliance may result in periodic penalty payments of up to 1% of average daily worldwide turnover per day of breach, pursuant to Article 35(6) of DORA.
Obligations for financial entities remain unchanged
The existence of direct ESA oversight over CTPPs does not diminish the responsibilities of the financial institutions that use them. Firms remain fully accountable for ensuring that their outsourcing arrangements meet DORA’s requirements, irrespective of whether their vendor is now subject to ESA supervision. Robust contractual protections, independent risk assessments, and tested exit plans are still mandatory. Exit strategies for relationships with all 19 designated CTPPs must be documented and stress-tested at least annually.
Financial institutions should also be alert to potential commercial friction. Some CTPPs may argue that ESA oversight renders customer-imposed audit rights redundant. That argument should be firmly rejected; DORA obligations operate independently of the ESA oversight framework.
The list of designated CTPPs will be updated and republished annually. Providers not currently named could appear in future rounds as their market footprint expands, while existing designees could be removed if their circumstances change materially. Providers not currently designated can also voluntarily request inclusion once the list is in force.
Steps to take now
For financial institutions, the immediate priority is to cross-check the Register of Information against the 19 designated CTPPs, verify that all relevant contracts meet DORA’s contractual requirements, update the risk register accordingly, and confirm that incident response procedures account for provider-level disruptions. These relationships must also be reported to the management body as part of the ICT risk report required under Article 5(4) of DORA.
For ICT vendors on the list, the urgent task is to engage the assigned Lead Overseer and establish the required EU coordination entity without delay. For those not yet designated, DORA-standard contractual requirements will still be imposed by financial entity clients for any function classified as critical or important.
The CTPP framework represents one of the most significant extensions of EU financial regulation in recent years, bringing technology vendors inside the regulatory perimeter in a way that has no precedent. For any organisation on either side of an ICT service relationship, understanding who qualifies, how the assessment works, and what follows from designation is not a secondary compliance concern — it is foundational to any credible digital resilience strategy.
Copyright © 2026 FinTech Global
