On 19 November 2025, the European Supervisory Authorities (EBA, EIOPA, ESMA) for the first time designated 19 critical ICT third‑party providers under Article 32(1) of the DORA — a key step for direct European supervision under DORA.
The selection was made using a two‑step model that assessed systemic relevance, substitutability, concentration risks and the scope of services provided. Among the critical providers are primarily large cloud and platform service providers such as AWS, Google Cloud, Deutsche Telekom and Microsoft as well as Oracle and SAP.
With their official classification as “critical ICT third‑party providers” (CTPPs), these firms are now subject to direct oversight by the ESAs. This includes annual risk analyses, comprehensive reporting obligations, on‑site inspections and active cooperation with the authorities. Supervision will be carried out by Joint Examination Teams (JETs) composed of staff from the ESAs and national authorities.
What does this mean for financial firms?
For financial firms, nothing changes in terms of their own responsibility: they must maintain transparency over dependencies, manage risks arising from third‑party relationships, and integrate the insights from ESA supervision into their ICT risk management.
Next steps in supervision:
- From 2026: Start of operational supervision by the ESAs (approx. 30 supervisors).
- JETs & Lead Overseer: Establishment of the examination teams and appointment of a lead overseer for each CTPP.
- Opt‑in: Non‑designated providers may apply voluntarily for classification.
Here you can find the list of critical ICT service providers
The list has been published as a PDF under the title: The European Supervisory Authorities designate critical ICT third‑party providers under the Digital Operational Resilience Act | European Banking Authority
