The EU’s Digital Operational Resilience Act (DORA) has introduced one of the most significant regulatory shifts in recent memory for technology vendors serving financial institutions: the formal designation of “critical ICT third-party service providers,” or CTPPs.
According to Copla, for any financial firm relying on cloud platforms, data centres, or specialist tech vendors, understanding this framework is no longer optional.
Copla recently discussed who are the critical ICT third-party service providers under DORA, and why it matters.
A CTPP is an information and communications technology (ICT) vendor considered so integral to the stability of the EU financial system that regulators now supervise it directly — not through its financial institution clients, but in its own right. That is a material departure from how oversight has traditionally worked, and it carries significant consequences for both sides of the vendor relationship.
What DORA says about ICT third-party providers
DORA applies across a wide range of financial entities, from banks and insurers to investment firms and crypto-asset service providers. Under the regulation, any external company providing ICT services — including cloud computing, software, data analytics, or network infrastructure — qualifies as an ICT third-party service provider (ICT TPP).
However, not all ICT TPPs are treated equally. DORA draws a firm distinction between standard vendors and those deemed “critical.” Only the latter fall under the EU-level oversight framework set out in Articles 31 to 44 of Regulation (EU) 2022/2554. Oversight authority rests with the three European Supervisory Authorities (ESAs): the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA). Together, they designate CTPPs and assign each one a Lead Overseer from one of the three bodies.
The four core criteria for “critical” status
Article 31(2) of DORA sets out four criteria the ESAs must evaluate. A provider must satisfy all four to receive the designation:
Systemic impact of potential failure. Should a provider experience a large-scale operational disruption, would this destabilise the broader financial sector? Regulators assess the number of affected financial entities and the severity of the impact.
Systemic importance of dependent financial entities. If a provider’s clients include Global Systemically Important Institutions (G-SIIs) or Other Systemically Important Institutions (O-SIIs), the concentration of risk is elevated and the criticality threshold correspondingly lower.
Reliance on the provider for critical or important functions. Financial entities must themselves classify their functions under DORA. If a significant proportion of high-stakes functions depend on a single provider, that concentration is taken into account.
Substitutability. Could financial entities realistically migrate to an alternative provider in a reasonable timeframe? If switching is technically complex or effectively impossible for a material share of customers, the provider is considered harder to replace — and therefore more critical.
How the two-step designation process works
The ESAs follow a structured methodology set out in a Commission Delegated Regulation published in February 2024, comprising two steps.
The first is quantitative screening. The ESAs draw on data submitted via the Registers of Information that financial entities are required to maintain. Providers are screened against numeric thresholds — for instance, where a provider serves at least 10% of financial entities in a given category and, for at least 10% of those customers, migration to an alternative would be highly difficult.
The second is a qualitative assessment. Providers that clear the quantitative thresholds are then subject to a deeper review, covering the likely intensity of any service disruption, the technical complexity of their integrations with financial institutions, their cross-border footprint across EU member states, and modelled disruption scenarios. A provider must clear both steps to be formally designated.
Once designated, a provider is formally notified and has a six-week window in which to submit a reasoned objection. After that period, the ESAs issue the final designation.
Who is exempt?
Not every large technology company serving financial firms is eligible for designation. Financial entities that provide ICT services to other financial entities, purely intra-group or domestic providers, and service providers already subject to oversight under Article 127 of the Treaty on the Functioning of the European Union (TFEU) — such as certain payment systems — are all excluded. This ensures the framework targets genuinely cross-sector, external technology dependencies rather than internal IT functions or entities already under equivalent supervision.
The first 19 CTPPs: who made the list?
On 18 November 2025, the ESAs published the first official list of designated CTPPs under Article 31(9) of DORA. The 19 companies named span a broad range of ICT services, from core infrastructure to financial data and business services, and collectively serve financial entities of all types and sizes across the EU.
The designated CTPPs are: Accenture plc (managed IT services); Amazon Web Services EMEA Sarl (cloud computing); Bloomberg L.P. (financial data and analytics); Capgemini SE (IT consulting and managed services); Colt Technology Services (network and connectivity); Deutsche Telekom AG (telecommunications); Equinix (EMEA) B.V. (data centres and colocation); Fidelity National Information Services, Inc. (FIS) (financial technology); Google Cloud EMEA Limited (cloud computing); International Business Machines Corporation (IBM) (IT infrastructure and services); InterXion HeadQuarters B.V. (data centres and colocation); Kyndryl Inc. (IT infrastructure services); LSEG Data and Risk Limited (financial data and analytics); Microsoft Ireland Operations Limited (cloud computing and software); NTT DATA Inc. (IT services); Oracle Nederland B.V. (cloud and database services); Orange SA (telecommunications); SAP SE (enterprise software and cloud); and Tata Consultancy Services Limited (IT services and consulting).
The list is dominated by major cloud and platform providers — AWS, Google Cloud, Microsoft, and Oracle — alongside data centre operators, telecoms firms, and specialist FinTech providers, reflecting the full breadth of technology dependencies that modern financial institutions carry.
What designation means for CTPPs
Being named a CTPP carries substantial new obligations. Each designated provider must appoint a legal entity — ideally an EU subsidiary with sufficient resources — as a coordination point with the relevant ESA, and must also pay annual oversight fees.
The ESAs will assess each CTPP through Joint Examination Teams (JETs), reviewing risk management and governance frameworks, incident reporting procedures, subcontracting arrangements, cybersecurity controls, and overall digital resilience practices. Regulators may request information, conduct investigations and inspections, and recommend cybersecurity measures directly. Non-compliance can be made public, and as a last resort, regulators may compel financial entities to suspend or terminate their use of a non-compliant CTPP’s services.
Non-EU CTPPs face additional pressure. Those not based in the EU must establish a local presence within 12 months of designation, and financial entities may be prevented from using their services if they fail to do so. Periodic penalty payments of up to 1% of average daily worldwide turnover can be levied for each day of non-compliance under Article 35(6) of DORA.
What this means for financial entities
If one of your ICT vendors has been designated a CTPP, that brings a degree of reassurance — the ESAs are now watching them. However, it does not diminish your own obligations in the slightest.
While designated providers now face direct regulatory scrutiny, financial institutions cannot treat this as a substitute for their own due diligence and risk management. Firms remain fully accountable for ensuring outsourcing arrangements meet DORA’s standards, irrespective of whether a vendor is under ESA supervision. That means robust contractual protections, independent risk assessments, and tested exit plans remain non-negotiable. Exit plans covering all 19 CTPPs must be documented and tested at least annually.
There is also a risk of commercial friction. Some CTPPs may argue that ESA oversight already covers the ground and push back on customer-imposed audit rights. That framing should not be accepted. A financial institution’s DORA obligations are entirely independent of the ESA oversight framework.
The list will evolve
The November 2025 list is not static. The ESAs will update and republish the list of designated CTPPs annually. Providers not currently designated could appear on future lists if their customer base grows or market concentration increases, while existing CTPPs could be removed if their circumstances change materially. ICT providers not yet on the list may also voluntarily request designation once the list is published.
What you should do now
For financial entities, the immediate priority is to cross-check your Register of Information against the 19 designated CTPPs. For every match, verify that contracts satisfy DORA’s requirements, update your risk register, and confirm that incident response procedures account for provider-level disruptions. CTPP relationships should be reported to your management body as part of the ICT risk report required under Article 5(4) of DORA.
For ICT vendors, if you are on the list, engage your Lead Overseer and establish your EU coordination entity without delay. If you are not, do not assume you are in the clear — financial entities will still apply DORA-standard contractual requirements to every vendor supporting a critical or important function.
DORA’s CTPP framework represents one of the most consequential shifts in EU financial regulation in years. It brings technology vendors inside the regulatory perimeter in a way that simply did not exist before. Understanding who qualifies, how they are assessed, and what obligations follow is the foundation of any credible digital resilience strategy.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
