ESAs Publish List of ICT CTPPs Under DORA

The European Union’s Digital Operational Resilience Act, better known as DORA, has officially moved from “big regulatory idea” to “very real to-do list.” In a milestone announcement, the European Supervisory Authorities, or ESAs, published the first official list of critical ICT third-party providers, commonly called CTPPs, under DORA. That may sound like peak regulatory alphabet soup, but the development is a big deal for banks, insurers, investment firms, payment companies, and the technology vendors that keep those businesses humming.

Why? Because the list is not just a ceremonial roll call of major tech players. It marks the start of direct EU-level oversight for a select group of ICT providers that are considered systemically important to the financial sector. In plain English: when a provider sits underneath enough critical financial plumbing, regulators no longer want to rely only on supervised firms to manage that risk. They want a closer look at the provider itself.

And no, regulators did not throw darts at a wall covered in cloud logos. The designation process was built around DORA’s formal criticality criteria, using data from financial entities’ registers of information, plus a broader assessment of systemic impact, concentration, and substitutability. So this is less “surprise guest list” and more “if this vendor sneezes, half the market reaches for tissues.”

What Happened, Exactly?

The ESAs, which include the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Markets Authority, published the first official DORA list of designated critical ICT third-party providers in November 2025. The list contains 19 names. These companies now sit inside DORA’s oversight framework, meaning they can be examined directly by the relevant European authority acting as Lead Overseer.

Here is the published list of designated CTPPs:

• Accenture plc
• Amazon Web Services EMEA Sarl
• Bloomberg L.P.
• Capgemini SE
• Colt Technology Services
• Deutsche Telekom AG
• Equinix (EMEA) B.V.
• Fidelity National Information Services, Inc.
• Google Cloud EMEA Limited
• International Business Machine Corporation
• InterXion HeadQuarters B.V.
• Kyndryl Inc.
• LSEG Data and Risk Limited
• Microsoft Ireland Operations Limited
• NTT DATA Inc.
• Oracle Nederland B.V.
• Orange SA
• SAP SE
• Tata Consultancy Services Limited

Even a quick glance tells the story. The list stretches across cloud, telecom, data centers, enterprise technology, outsourcing, financial data, and managed services. That breadth matters. DORA is not obsessed with only one type of vendor. It is concerned with digital dependencies across the whole financial stack.

Why This List Matters So Much

For years, financial firms have been told to manage third-party risk better. Inventory your vendors. Review your contracts. Monitor concentration. Test resilience. Prepare exit strategies. Translate vendor jargon into risk committee English. Then do it again, but this time with fewer acronyms and more evidence.

DORA does not throw that model away. Instead, it adds another layer. Financial entities still have to manage their own ICT third-party risk. But when a provider becomes “critical” at Union level, the ESAs can also engage that provider directly. That shifts the discussion from a purely indirect oversight model to a hybrid one: firms remain responsible for their vendor risk, while regulators gain tools to examine the most important providers themselves.

That is a major structural change. A bank using a cloud provider for payments, customer portals, data analytics, and recovery environments does not experience a provider outage as a small IT inconvenience. It becomes an operations issue, a customer experience issue, a compliance issue, and potentially a market confidence issue. DORA’s CTPP list is the EU’s way of saying that some technology dependencies are now too central to ignore at the provider level.

How the ESAs Decided Who Made the Cut

This was not a popularity contest, and it definitely was not a “who is the biggest tech company?” ranking. Under DORA, the ESAs followed a structured criticality assessment. The process relied first on the registers of information maintained by financial entities, which describe contractual arrangements for ICT services. That gave regulators a market-wide map of who provides what to whom.

From there, the ESAs and competent authorities looked at several factors that go to the heart of operational resilience:

• Systemic impact: What happens if the provider suffers a major disruption?
• Dependence: How many important financial entities rely on the provider?
• Critical or important functions: Are the services tied to essential business operations?
• Concentration risk: Is the market clustered around a small group of providers?
• Substitutability: Could firms realistically switch to alternatives without chaos and delay?

The providers identified as critical were then notified and given an opportunity to respond before final decisions were adopted. That matters because DORA’s oversight framework is serious business. Designation brings supervisory attention, information requests, governance scrutiny, and the possibility of recommendations and follow-up actions. It is not a badge of honor. It is a regulatory spotlight.

What Direct Oversight Looks Like Under DORA

Once designated, a CTPP becomes subject to oversight by a Lead Overseer from one of the three ESAs. The relevant Lead Overseer is supported by Joint Examination Teams, or JETs, which help carry out the oversight work. If that sounds a bit like a supervisory task force, that is because it essentially is.

Direct oversight can include:

• Requests for information
• Risk assessments and oversight planning
• General investigations
• Inspections, including on-site work where appropriate
• Recommendations to address identified weaknesses
• Monitoring of remediation and follow-up actions

The focus is not just cybersecurity in the narrow sense. Regulators are looking at governance, incident reporting, resilience of services, subcontracting chains, risk management processes, physical security, and the ability of providers to support financial entities reliably under stress. In other words, DORA is asking whether critical providers are built to handle the kind of messy, multi-layered, bad-Tuesday scenarios that real life tends to produce.

The regime also has an operational and financial dimension. Designated providers will deal with oversight planning and supervisory engagement on a recurring basis, and DORA’s framework includes oversight fees. The ESAs have also made clear that the list is updated annually, which means this is a living framework, not a one-and-done publication.

The List Is New, but the Real Work Starts After Publication

If you were hoping the publication of the list would somehow simplify third-party risk overnight, that is adorable. The truth is more complicated.

For financial entities, the list helps confirm which providers regulators view as especially important. But designation does not erase the responsibilities of banks, insurers, asset managers, or payment firms. They still have to manage their own third-party risk, document critical functions, maintain contractual safeguards, monitor concentration, and ensure they can respond to incidents. A vendor being directly overseen does not give the regulated customer permission to switch off its own controls and go on a long lunch.

For providers, the list creates a different kind of pressure. Some of the designated companies are already sophisticated compliance operators, but DORA asks them to frame resilience through the lens of financial-sector systemic risk. That is a distinct regulatory perspective. It is not enough to say, “We have security certifications and mature processes.” The question becomes, “Are those controls designed, documented, and governable in a way that satisfies DORA’s oversight expectations for services used by EU financial entities at scale?”

What Financial Firms Should Do Now

Financial entities do not need to panic, but they do need to move with intention. A smart response includes five practical steps.

1. Recheck your ICT dependency map

If one of the 19 providers is embedded across multiple critical services, that concentration should be visible at management and board level. Many firms know their vendors in silos. DORA requires a group-wide view.

2. Review contracts with a resilience mindset

This is not just about legal clauses for decoration. Firms should confirm whether their agreements support monitoring, incident response, access rights, data handling, exit planning, and subcontracting transparency in a way that is usable in a real disruption.

3. Stress-test assumptions about substitutability

Plenty of organizations say they could switch vendors “if necessary.” Under scrutiny, that often means, “after six steering committee meetings, two budget battles, and a minor existential crisis.” DORA forces firms to be more honest about what can actually be replaced, and how fast.

4. Improve communication between compliance, procurement, and technology teams

One of the most common operational problems is that each function holds a different piece of the same third-party puzzle. DORA works best when those teams are not playing regulatory charades with one another.

5. Watch for annual updates and spillover effects

The list will evolve. Firms should monitor future designations, changes in oversight expectations, and cross-border developments that could affect major providers and their customer relationships.

What ICT Providers Should Do Now

For designated providers, the best move is not to wait for the first uncomfortable question to arrive from a Lead Overseer. The better move is to get ahead of it.

That means testing whether governance structures are crisp enough, whether incident management and reporting procedures are defensible, whether subcontracting chains are well understood, and whether the provider can explain its resilience posture in language a supervisor can actually use. Providers should also expect the oversight conversation to be evidence-driven. A pretty slide deck is nice. A documented control environment is better.

For providers that did not make the list, this is still not a spectator sport. The ESAs update the list annually, and DORA includes an opt-in path for non-designated ICT providers that want to request assessment. More broadly, the market expectation around resilience is rising for everyone, not just the companies already on the published list.

The Bigger Strategic Story Behind the Announcement

The publication of the CTPP list says something bigger about financial regulation in 2025 and 2026: operational resilience has become infrastructure policy. Regulators are no longer focusing only on individual firms and their internal controls. They are also focusing on the shared digital foundations that multiple firms rely on at once.

That has two important consequences. First, it makes third-party risk more collective. A disruption at a single provider can affect many institutions across markets and sectors at the same time. Second, it makes DORA globally relevant. Many of the designated providers are international businesses with cross-border delivery models, and early 2026 cooperation steps between the EU and UK authorities point toward a more coordinated supervisory environment for critical providers operating across jurisdictions.

So while DORA is an EU regulation, the business implications reach well beyond Brussels. U.S.-headquartered vendors, multinational outsourcing firms, cloud providers, telecom operators, and enterprise software companies all need to pay attention if they support EU financial entities. Geography is not much of a shield when your services sit in the operational bloodstream of the market.

Practical Experiences From the Ground: What This Has Felt Like Inside Firms

One of the most interesting things about the ESAs publishing the DORA CTPP list is how familiar the run-up has felt to anyone who has lived through a serious third-party risk remediation program. The experience inside many firms has not been dramatic in a Hollywood sense. Nobody is sprinting down hallways with alarms blaring. It is more like a slow realization that your vendor inventory, your contract library, your architecture diagrams, your incident response playbooks, and your board reporting all need to tell the same story at the same time. That is a surprisingly high bar.

In practice, compliance teams have often discovered that the hardest part is not understanding DORA at a high level. The hardest part is reconciling different internal versions of the truth. Procurement may describe a vendor one way, technology teams may describe it another way, and legal may have a contract that still reflects an earlier service model. Then operational resilience staff come in and ask the question nobody wanted: which of these services actually support a critical or important function? That is where the room gets quiet, followed by a lot of calendar invites.

Another common experience is that concentration risk stops being abstract once firms map dependencies properly. A provider may appear in different business lines under different agreements, different entities, or different product names, but once the mapping is complete, the same provider may turn out to support core data, communications, hosting, analytics, or customer-facing services all at once. Suddenly, the conversation changes from “we have a vendor” to “we have a dependency cluster.” That is exactly the type of realization DORA was designed to force into the daylight.

For ICT providers, the experience has often been a mix of preparation and translation. Many large providers already have mature security and governance programs. The real challenge is translating those programs into a DORA-ready supervisory narrative. Teams have had to answer questions such as: Can we explain our subcontracting model clearly? Can we show how incidents are escalated to financial clients? Can we demonstrate resilience not just in technical terms, but in operational and governance terms that line up with what regulators expect? It is less about inventing entirely new controls and more about making existing controls legible, consistent, and provable.

There is also a human side to this. DORA preparation has pushed legal, risk, procurement, cyber, operations, and executive teams into the same room more often. That can be messy, but it is also healthy. The firms that seem to be handling this best are the ones treating DORA as a business resilience issue, not just a compliance memo with a deadline attached. The ESAs’ publication of the CTPP list reinforces that lesson. The winners will not be the organizations with the flashiest slide decks or the most heroic last-minute remediation sprints. They will be the ones that actually understand their dependencies, speak honestly about substitutability, and build governance strong enough to survive both outages and regulator questions without breaking into a sweat.

Conclusion

The ESAs’ publication of the first DORA list of critical ICT third-party providers is more than a regulatory milestone. It is a signal that digital resilience in finance is now being supervised where the dependencies actually live. The 19 designated providers are not random picks; they reflect the technologies and services the EU financial sector relies on most heavily.

For financial entities, the message is simple: keep strengthening third-party risk management, because direct oversight of a vendor does not replace your own obligations. For providers, the message is just as clear: resilience, governance, transparency, and operational discipline are no longer back-office virtues. Under DORA, they are front-and-center supervisory issues. The list may be published, but the real test begins after the applause ends.

SEO Tags