The European Supervisory Authorities (ESAs) published on November 18, 2025 a list of 19 critical information and communications technology (ICT) third-party providers (CTPP) that will be subject to direct oversight under the EU Digital Operational Resilience Act (DORA). The list includes hyperscale cloud providers, data center providers, infrastructure and network providers, and providers of financial services-specific technology.
Background
The ESAs made the designation by following a prescriptive methodology set out under DORA, based on four criteria: the potential systemic impact if the provider were to suffer large-scale operational failure; the systemic importance of financial entities that are reliant on the provider; the concentration of reliance on the provider within the banking, insurance and pensions, and securities and markets sectors; and the substitutability of the provider’s services.
The ESAs’ designations have been informed by data collection from the registers of information submitted by financial entities to their competent supervisors, which identify third-party ICT providers that support critical or important functions of each financial entity.
In the press release, the ESAs state that third-party ICT providers assessed as critical were formally notified and had a right to respond by providing a reasoned statement. The final designation decisions were seemingly adopted following a careful review of all relevant information.
Analysis
For the CTPPs, the ESAs will have direct oversight powers to assess whether the CTPPs have in place appropriate risk management and governance frameworks pursuant to DORA. This includes assessing procedures on incident reporting, subcontracting, and ICT security. Each CTPP must designate a legal entity, ideally an EU subsidiary with sufficient resources, as a coordination point with the relevant ESA, and it must also pay annual oversight fees to the relevant ESA. The ESAs comprise of the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Markets Authority.
Where the relevant ESA identifies deficiencies in the CTPP’s risk management and governance framework, the ESA may issue recommendations for remediation. If a CTPP does not comply with those recommendations, then it must explain its reason(s) to the ESA and, in that scenario, the ESA could make the providers’ noncompliance public and, as a last resort, require financial entities to suspend use of the provider’s services and/or terminate the relevant contractual arrangements.
For financial entities, the designation of one of their ICT service providers as a CTPP may prove to be a double-edged sword. On the one hand, the CTPP’s risk management and governance procedures will be subject to direct regulatory oversight, providing assurance to the financial entity, and so DORA is not just “the customer’s problem,” which could potentially have commercial consequences as between the customer and provider around compliance with law and termination.
On other hand, CTPPs may seek to dovetail oversight controls granted to customers with their new operationalized compliance procedures as these providers prepare for direct regulatory oversight, arguing that the direct regulatory oversight should in and of itself grant a degree of assurance to financial entity customers.
The list published by the ESAs is interesting; it includes providers that imply a wide net of “systemic importance,” such as certain managed services providers and financial services–specific technology providers, while there are other third-party ICT providers that are not included on the list but that arguably could meet the four criteria for designation. For example, recent global ICT outages, including on the same day that the list of CTPPs was published, have highlighted the criticality of an ecosystem of ICT service providers for maintaining service continuity—arguably, fourth-party service providers within that ecosystem may be overseen more closely through assessing subcontracting procedures of the designated CTPPs.
The list of critical ICT third-party providers will be updated and published by the ESAs on an annual basis.