.svg)
The designation of systemic providers marks the beginning of a significant operational shift for financial institutions, which will need to strengthen their understanding of third-party dependencies and the risks that accompany them.
The European Supervisory Authorities’ (ESAs) November 2025 announcement of their first list of critical ICT third-party service providers (CTPPs) under the Digital Operational Resilience Act (DORA) is a significant milestone in the EU’s implementation of the regime.
It marks a shift from firm-level to systemic ICT risk management, with the ESAs aiming to address concentration risk in critical infrastructure.
DORA fundamentally reshapes how financial institutions manage ICT dependencies, as well as how ICT providers structure their governance, security and resilience frameworks.
The ESAs completed a multi-step assessment with national authorities and identified 19 providers whose services are systemically important and difficult to substitute. The designated organisations cover cloud, data, infrastructure and core banking technology services, and include big tech firms such as Amazon Web Services, Google and Microsoft.
DORA took effect in January 2025 and is designed to strengthen the operational resilience of the EU financial sector. Under the act, third-party ICT service providers identified as playing a critical role for financial entities in the EU are subject to direct oversight by the ESAs.
The ESAs comprise the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA).
The oversight framework helps to address potential systemic and concentration risks arising from the financial sector's reliance on a limited number of ICT providers. It complements, rather than replaces, financial entities’ own responsibilities for managing ICT-related risks and the supervision already exercised over them by competent authorities.
The CTPPs will be subject to direct supervisory engagement, testing and risk-management scrutiny under the DORA Oversight Framework.
The ESAs identified the 19 designated firms using a three-stage methodology mandated under DORA.
- First, they collected data from financial entities detailing their contractual arrangements for ICT services.
- Second, they conducted a detailed assessment of providers’ criticality, in cooperation with competent authorities across the EU banking, insurance and pensions, and securities and markets sectors.
- Third, the ICT third-party providers the ESAs determined to be critical were notified.
The regulators considered a number of points in their analysis, including the potential systemic impact if a provider were to suffer large-scale operational failure and the systemic importance of the financial entities that rely on the providers.
The final designation decisions were then adopted based on a careful review of all relevant information.
Managing systemic ICT risk
The designated CTPPs play a pivotal role in the EU financial ecosystem, providing ICT services to financial entities of all types and sizes across the bloc.
The DORA Oversight Framework aims to ensure that these providers maintain robust and effective ICT risk-management practices.
The ESAs will seek to achieve this through direct oversight, assessing whether CTPPs have appropriate risk-management and governance frameworks in place to ensure the resilience of the services they deliver to financial entities.
For the designated firms, this will mean oversight examinations, mandatory information submissions, resilience and stress-testing requirements, and targeted investigations into ICT governance and risk controls.
For financial entities, the designation of the CTPPs has both advantages and disadvantages.
If one of their ICT providers is on the list, its risk management and governance procedures will be subject to direct regulatory oversight. This offers a degree of regulatory assurance over the provider’s controls and means that firms can be confident in their operational resilience.
However, designated CTPPs may argue that their oversight by the ESAs can replace the strong contractual protections previously in place.
Given that the regulators’ oversight is focused on systemic resilience, this could leave individual organisations in a vulnerable position – liable to their national supervisors for ICT risk management and required under DORA to demonstrate effective third-party oversight, but with weak contractual tools to enforce that oversight.
Shifting approach to risk management
Because financial organisations typically rely on a small number of third-party providers for core ICT services, any failure can affect the entire banking and finance sector.
The CTPP regime is intended to address this risk, but it is important to note that being designated as a CTPP is not a certification of quality or security – it just means that a provider has been identified as systemically critical.
The designation of 19 CTPPs marks the beginning of a significant operational shift for financial institutions.
Although the ESAs now have direct oversight responsibilities, individual entities remain fully accountable for managing their ICT dependencies. The challenge ahead is translating this regulatory development into concrete action.
Financial organisations need to understand where any of the CTPPs sit within their ICT architecture, identifying which critical or important functions rely on designated providers and where single points of failure exist.
They should also be mindful that DORA's Register of Information is a living document that supervisors will increasingly use as a primary examination tool. With CTPPs now designated, competent authorities will cross-reference registers against the official list, looking for gaps, inconsistencies or outdated assessments.
In addition, contracts with CTPPs will attract significant attention during examinations, with supervisors focusing on whether institutions have maintained robust protections despite the provider's regulated status.
CTPP designation does not relieve financial institutions of their obligations. Firms must balance regulatory assurance from ESA oversight with the contractual and operational controls necessary to meet their own resilience requirements.
Institutions that treat CTPP designation as the start of a more mature, risk-based approach to third-party ICT governance will be best placed to adapt and prosper under the new system.
