ESAs publish first list of critical ICT third-party providers under DORA

RegCORE Client Alert | Banking Union, Capital Markets Union + Savings and Investment Union, Insurance Union and EU Digital Single Market, financial services and crypto-assets

QuickTake

The EU’s framework known as the Digital Operational Resilience Act (DORA) establishes a harmonised regulatory framework to strengthen the digital operational resilience of the EU financial sector. A key element of DORA is the identification and oversight of third-party information and communications technology (ICT) service providers whose activities are deemed critical to the stability and security of the financial system (such critical ICT providers known as CTPPs).

On 18 November 2025, the European Supervisory Authorities (ESAs)Comprised of the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA).Show Footnote published, their first list of designated CTPPs as mandated under Art. 31(9) DORA.First list of designated CTPPs available here.Show Footnote The designation of CTPPs triggers enhanced regulatory scrutiny and direct oversight by the ESAs as opposed to by national competent authorities (NCAs).

Further designation rounds are expected to follow in the future. Such further updates may add and/or subtract from the overall number and types of critical CTPPs. As explored in this Client Alert, this first designation and those that follow may have a number of implications on users of such CTPPs’ services and require changes to internal policies, procedures and controls as well as various contract types.

This Client Alert should be read in conjunction with further Thought Leadership from PwC Legal’s EURegCORE on DORA together with further blog posts from PwC Advisory teams detailing the oversight framework of both the ESAs and NCAs along with details of our comprehensive technical and legal offering and automated solutions to ensure compliance with DORA and similar legislative, regulatory and supervisory requirements across other jurisdictions. 

Key Takeaways

Pursuant to DORA, the ESAs jointly designate certain ICT providers as “critical” (and thus as CTPPs) based on criteria such as systemic reliance, substitutability, concentration and the potential impact of disruption. The ESA have designated the following as CTPPs (in alphabetical order): 

1. Accenture plc
2. Amazon Web Services EMEA Sarl
3. Bloomberg L.P.
4. Capgemini SE
5. Colt Technology Services
6. Deutsche Telekom AG
7. Equinix (EMEA) B.V.
8. Fidelity National Information Services, Inc.
9. Google Cloud EMEA Limited
10. International Business Machine Corporation (IBM)
11. InterXion HeadQuarters B.V.
12. Kyndryl Inc.
13. LSEG Data and Risk Limited
14. Microsoft Ireland Operations Limited
15. NTT DATA Inc.
16. Oracle Nederland B.V.
17. Orange SA
18. SAP SE
19. Tata Consultancy Services Limited

The list is subject to periodic review and may be updated as the supervisory authorities assess the evolving ICT risk landscape.

Designation has three core consequences for CTPPs:

• Direct ESA oversight of the CTPP. Designated providers become subject to a centralised oversight regime coordinated by the ESAs (via a Joint Oversight Forum). The ESAs can issue recommendations, perform inspections via lead overseers, require remediation plans and, if necessary, apply coercive measures.
• Potential restrictions if risks are not mitigated. In cases of serious, persisting non compliance by a CTPP, ESAs can escalate and, ultimately, NCAs may require financial entities to suspend, phase out or terminate arrangements with that CTPP in respect of specific services/functions.
• Enhanced cooperation obligations. CTPPs are expected to cooperate with sector wide testing and information requests and to support financial entities’ DORA obligations (e.g., incident reporting support, testing participation, audit facilitation, exit execution).

This first list of designations signals the following supervisory themes (and ultimately likely priorities in scrutiny for both CTPPs as well as users of their services) – namely: 

• Systemic reliance on a small set of providers. Cloud hyperscalers, major data vendors and core ICT integrators feature prominently. This underscores supervisors’ focus on concentration risk and practical substitutability.
• Interconnected infrastructure layers. The presence of colocation and telecom providers alongside cloud and data vendors highlights fourth party dependencies that can invalidate simplistic diversification strategies.
• Sector wide coordination. The oversight framework anticipates pooled solutions (e.g., common assurance, coordinated testing) to reduce duplicative burdens while maintaining robust access and transparency.

Importantly, designation does not shift responsibility from those categorised under DORA as “financial entities”.Under the Digital Operational Resilience Act (DORA), “financial entities” are the regulated firms and market infrastructures to which the Regulation applies. The term is defined by reference to an exhaustive list in Article 2(1) of DORA. In practical terms, it covers the core prudential, markets, payments, funds, insurance and market infrastructure populations in the EU. The principal categories include: Credit institutions, payment institutions and account information service providers, electronic money institutions, investment firms, crypto asset service providers and issuers of asset referenced tokens (under MiCA), central counterparties (CCPs), central securities depositories (CSDs), market operators of trading venues (regulated markets, MTFs and OTFs), data reporting service providers (APAs, ARMs and CTPs), trade repositories, securitisation repositories, insurance and reinsurance undertakings, insurance and reinsurance intermediaries and ancillary intermediaries (subject to size based carve outs), institutions for occupational retirement provision (IORPs) (subject to IORP specific exclusions), UCITS management companies and self managed UCITS, alternative investment fund managers (AIFMs), depositaries of UCITS and AIFs and EU crowdfunding service providers. How this is applied in practice: The list in DORA is closed: a firm is a “financial entity” only if it falls within one of the enumerated types in Article 2(1). Proportionality and exclusions apply in specific cases. For example, certain micro enterprises (notably among insurance intermediaries) benefit from lighter obligations, and some sectors have tailored requirements. Being a “financial entity” triggers the full suite of DORA obligations (ICT risk management, incident reporting, testing, and third party risk), regardless of whether the firm uses a designated critical ICT third party provider.Show Footnote Under DORA, financial entities remain fully responsible for operational resilience and third party risk management, including where a CTPP is directly overseen by ESAs.

Implications for financial entities

For financial entities it is important to note that pursuant to DORA: 

• The oversight is applied to the provider, not to the financial entity’s contract per se. However, it has knock on implications for financial entities’ contracts, assurance mechanisms and risk management, because financial entities must be able to evidence compliance with DORA regardless of the provider’s designation.
• Supervisors may expect financial entities to leverage the EU level assurance and findings produced through the CTPP regime, but this does not remove the need for firm specific due diligence and controls, recognising that EU-level oversight outputs are unlikely to be sufficient alone.

Financial entities engaging with designated CTPPs should ensure robust third-party risk management across the entire lifecycle, reviewing their contractual arrangements to ensure compliance with DORA’s requirements, as contractual exposure to a CTPP introduces specific legislative, regulatory and supervisory considerations. This can be summarised as the following issues that financial entities engaging with CTPPs will want to consider:

1) Governance, risk and concentration management

• Board accountability remains central. ICT and outsourcing risk frameworks should be updated to explicitly account for the use of designated CTPPs. The management body must oversee ICT third party risk, set an explicit risk appetite and tolerances for concentration on those providers (including for concentration risk in critical functions) and ensure adequate resourcing, skills and challenge.
• Concentration risk scrutiny intensifies. The presence of multiple cloud and data giants on the list highlights the risk of single  or multi provider concentration, regional dependencies and correlated failure modes (e.g., shared underlying infrastructure or internet exchanges). One can expect NCAs to probe:
  • reliance on any one designated CTPP for critical or important functions;
  • regional availability zone strategy and failover realism;
  • correlated risks across providers; and
  • fourth party chains (e.g., colocation and telecom dependencies that also appear on the list).
• Criticality mapping must be robust. Financial entities should maintain up to date mapping of which business services and processes are “critical or important” and where these rely on designated CTPPs, including data flows, Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) assumptions and substitution feasibility.

2) Contracting and vendor management

• DORA compliant clauses are non negotiable. Contracts with designated CTPPs supporting critical or important functions should already include DORA mandated terms, such as:
  • clear service description, SLAs and security measures;
  • data processing/hosting locations and transfer conditions;
  • comprehensive audit, access and information rights (including for the firm, internal audit, external auditor and competent authorities);
  • incident notification timelines and cooperation duties aligned with DORA’s major incident reporting;
  • support for testing (including TLPT participation where relevant);
  • subcontracting transparency and approval/notification triggers for material sub outsourcing;
  • business continuity, resilience, back up and failover commitments that match impact tolerances; and
  • orderly exit and termination assistance, with workable transition periods and data portability.
• Provider “DORA annexes” require careful review. Many designated providers offer standard DORA addenda. These can be efficient but must be checked for:
  • scope gaps (e.g., carve outs for certain services or regions);
  • practical audit modalities (on site vs pooled audit/independent assurance, frequency, cost sharing);
  • subcontracting disclosures and rights in complex chains;
  • alignment with a firm’s internal policy thresholds for criticality and incident timelines; and
  • reconciliation of provider assurance artefacts (e.g., independent audit reports, certifications) with DORA’s evidentiary needs.
• Pricing and pass through of oversight costs. CTPPs may seek to pass through oversight related costs (e.g., additional assurance, testing support). Financial entities may wish to ensure pricing clauses and change control mechanisms manage this risk.

3) Register, notifications and supervisory engagement

• Maintain the third party register. DORA requires an up to date register of all ICT third party arrangements, with enhanced detail for those supporting critical or important functions. Financial entities will want to tag entries involving designated CTPPs for targeted oversight.
• Notifications and information requests. While DORA does not impose a universal prior approval regime for third party contracts, NCAs can require notifications and will expect financial entities to produce, on request, granular information on CTPP backed critical services. Some NCAs have issued or will issue templates— Financial entities will want to ensure alignment with their lead NCA’s expectations.
• Responding to ESA oversight outcomes. If the ESAs issue recommendations to a CTPP affecting services, NCAs may ask a firm to assess impact, adjust controls, or implement mitigations within defined timelines.

4) Resilience architecture and exit

• Design for practical substitutability. Given the systemic nature of the designated CTPPs, genuine substitutability is challenging. Financial entities should:
  • assess and document concentration risk (intra firm and sectoral), including dependencies on a small number of cloud, data and connectivity providers.
  • consider substitutability and exit feasibility, including practical steps to enable switching or parallel run and realistic timelines, data portability and interoperability.
  • map critical or important functions to specific services and components provided by CTPPs (including sub outsourcing layers).
  • validate multi cloud or multi region designs beyond paper architecture (scenario test failover, data egress/ingress, IAM and control plane contingencies);
  • pre position data and infrastructure as code templates to reduce switching time; and
  • quantify exit timelines and costs in line with impact tolerances.
• Scenario testing for correlated disruptions. Test scope should include relevant third-party scenarios and align severe but plausible scenarios to the CTPP's failure modes (e.g., regional cloud outage, control plane disruption, IAM compromise, core network incident, significant data corruption). Financial entities should ensure they can evidence what remains within tolerance.
• Data portability and escrow. Ensure data formats, schemas and encryption key management support portability. Consider escrow for critical artefacts (e.g., runbooks, IaC, images).

5) Incident management and reporting

• Upstream detection and downstream reporting. Contracts must ensure timely, sufficiently granular incident notifications from CTPPs to enable DORA major incident classification and reporting. Financial entities will want to validate:
  • telemetry access and event data retention;
  • validated mechanisms for root cause analysis (RCA), remediation tracking and lessons learned across both firm and provider responsibilities;
  • participation in coordinated communications where multiple financial entities are affected; and
  • consideration of whether sector-wide incidents at designated CTPPs could trigger simultaneous reporting across multiple jurisdictions and entities and preparation of coordination protocols.
• Testing and TLPT participation. Where Financial entities are in scope for Threat Led Penetration Testing (TLPT), ensure the CTPP’s cooperation path is workable, with clear roles, data boundaries and approvals. This includes practicalities like whitelisting, engagement windows, red team rules of engagement and leveraging any sectoral pooled testing frameworks recognised by the oversight regime.

6) Subcontracting chains and fourth party risk

• Visibility over material sub outsourcing. Several designated CTPPs rely on other designated entities (e.g., colocation, network, data feeds). Financial entities must obtain and maintain visibility of material sub-outsourcing relevant to their services (including locations, data residency and resilience controls) and ensure they receive timely disclosure of material changes, retaining approval or termination rights where risk increases.
• Geographic and legal risk. Financial entities must introduce measures to track where sub providers process/store data and the legal regimes that apply, ensuring alignment with Financial entities’ data protection and supervisory access requirements.

7) Group and cross border considerations

• Harmonised baseline, local overlays. DORA provides an EU baseline, but NCAs may apply additional expectations or require specific artefacts. Align group policies to the EU baseline, then adapt per jurisdiction.
• Third country providers. Use of non EU CTPPs remains permitted, provided one can ensure contractual supervisory access, cooperation and data safeguards. Financial entities should validate enforceability with conflict of laws input where needed.
• Procurement and portfolio design should reflect the increased regulatory focus on designated CTPPs. This includes considering multi-region, multi-zone, or multi-provider approaches to reduce single points of failure and building in interoperability and portability (e.g., containerisation standards, data export formats, alternative connectivity options).

8) Enforcement and consequences

• For CTPPs. ESAs can issue recommendations and, for non compliance, apply coercive measures (including periodic penalty payments). Persistent non compliance can trigger NCA interventions vis à vis financial entities’ use of the CTPP.
• For Financial entities. NCAs can impose administrative measures and sanctions for failures to meet DORA obligations, including in third party risk management, incident reporting, testing and resilience outcomes.
• Evidencing compliance. Supervisors will expect financial entities to demonstrate a clear view of which designated CTPPs the firm depends on for which critical or important functions; how the firm’s controls, assurance and testing cover those dependencies; and how the firm monitors and acts upon findings from EU oversight of the CTPP, integrating them into its risk management.

The considerations above apply to existing and new contracts with designated CTPPs and will require input from across all key stakeholders involved in DORA as well as legal and risk management functions more generally.

Outlook

The publication of the CTPP list marks a significant milestone in the implementation of DORA. The publication of the CTPP list under DORA operationalises the ESA’s direct oversight of the ICT providers most critical to the financial sector. For regulated financial entities, this does not dilute responsibility instead, it raises the bar on governance, concentration risk management, contractual robustness, testable resilience and supervisory readiness. Financial entities should now ensure that their contracts, architectures, registers and board level oversight are demonstrably DORA compliant for all arrangements touching the designated CTPPs, with particular emphasis on critical or important functions.

About us

PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.

Moreover, we have developed a number of RegTech and SupTech tools for supervised firms, including PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 2,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business.

Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.

The PwC Legal Team behind Rule Scanner are proud recipients of ALM Law.com’s coveted “2024 Disruptive Technology of the Year Award” as well as the “2025 Regulatory, Governance and Compliance Technology Award”.

If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.