Financial Services Regulation

EU DORA: Regulators announce Critical ICT Third-Party Providers

December 14, 2025 Comments Off on EU DORA: Regulators announce Critical ICT Third-Party Providers
EU DORA

On 18.11.2025 the European Supervisory Authorities (ESAs) announced 19 information and communications companies as Critical Third-Party Providers (CTPPs) under EU DORA.

Who are Critical Third-Party Providers under EU DORA?

The designated companies are large-scale providers of technology infrastructure, software, and data to EU financial services. They are considered critical because:

  1. The potential systemic impact if the provider were to suffer a large-scale operational failure.
  2. The systemic importance of financial entities that are reliant on the provider.
  3. The concentration of reliance on the provider within the financial sector.
  4. the (low) substitutability of the provider’s services.

The 19 are Accenture plc, Amazon Web Services EMEA Sarl, Bloomberg L.P., Capgemini SE, Colt Technology Services, Deutsche Telekom AG, Equinix (EMEA) B.V, Fidelity National Information Services Inc, Google Cloud EMEA Limited, International Business Machine Corporation, InterXion HeadQuarters B.V, Kyndryl Inc, LSEG Data and Risk Limited, Microsoft Ireland Operations Limited, NTT DATA Inc, Oracle Nederland B.V, Orange SA, SAP SE, Tata Consultancy Services Limited.

The list of CTPPs for EU DORA will be updated annually. Given recent major outages in global ICT it is possible that the outsourced providers of the CTPPs may be subject to greater oversight in the future.

How are Critical Third-Party Providers regulated?

CTPPs are subject to direct oversight by ESAs to ensure they have appropriate risk management and governance structures to protect the financial sector from cyber threats and ensure resilience.

CTPPs now have several compliance obligations under the five pillars of DORA, including security, incident management, data sharing, and reporting.

As such, responsibility for IT is no longer just the customer’s problem; there are legal and commercial consequences for the CTPPs.

Who are the European Supervisory Authorities?

The joint committee of the European supervisory authorities includes the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA).

Why does DORA matter?

As financial services become digitalised and cyber attacks increase, the need for enhanced security and business continuity of information and communication technologies (ICT) has increased.

EU DORA seeks to improve resilience by creating new and higher standards for EU-regulated financial services firms and their 3rd-party ICT providers.

Continue reading