As we approach the final quarter of 2025, the European Supervisory Authorities (ESAs) are making significant progress in implementing the pan-European oversight framework for critical ICT third-party service providers (CTPPs) under DORA. This article examines the latest developments and their implications for financial institutions.

Current Status of CTPP Designations

The ESAs have been working diligently on the criticality assessment process mandated by DORA. Following the April 30, 2025 deadline for financial institutions to submit their Registers of Information on ICT third-party arrangements, the authorities are now in the evaluation phase.

Timeline Update

  • April 30, 2025: Financial entities submitted their ICT service provider registers
  • July 2025: ESAs expected to notify ICT third-party service providers of their critical status
  • Six-week objection period: Providers can challenge their designation
  • Q4 2025: Oversight engagement to commence

What Makes a Provider "Critical"?

Assessment Criteria

The ESAs evaluate ICT service providers based on multiple factors:

  • Systemic Impact: Number and importance of financial entities served
  • Interconnectedness: Degree of financial sector dependency
  • Substitutability: Availability of alternative providers
  • Complexity: Technical complexity of services provided
  • Cross-Border Footprint: Services across multiple member states

Expected Designations

While the ESAs have not yet published the official list, industry expectations include major providers such as:

  • Major cloud service providers (AWS, Microsoft Azure, Google Cloud)
  • Core banking system vendors
  • Payment processing infrastructure providers
  • Major cybersecurity service providers
  • Critical data center operators

Implications for Financial Institutions

Enhanced Assurance

CTPP designation brings significant benefits for financial entities:

  • Direct EU Oversight: ESAs will directly supervise critical providers
  • Standardized Requirements: Consistent compliance expectations across providers
  • Regular Audits: Mandatory assessments by supervisory authorities
  • Incident Transparency: Enhanced reporting obligations to ESAs
  • Reduced Due Diligence Burden: Reliance on regulatory oversight

Ongoing Responsibilities

Despite CTPP oversight, financial institutions must still:

  • Maintain contractual relationships and obligations
  • Conduct periodic risk assessments
  • Monitor service performance and incidents
  • Manage concentration risk
  • Maintain exit strategies and contingency plans

The Oversight Framework

ESA Powers Over CTPPs

Once designated, critical providers become subject to:

  • Onsite Inspections: ESAs can conduct examinations at provider facilities
  • Document Requests: Comprehensive information gathering powers
  • General Investigations: Broad investigatory authority
  • Recommendations: Binding recommendations for improvements
  • Enforcement Actions: Penalties for non-compliance up to €5 million

Oversight Activities

The ESAs will engage in:

  • Regular compliance assessments
  • Risk-based examinations
  • Incident investigation and analysis
  • Thematic reviews of specific risks
  • Coordination with national authorities

Impact on Cloud Service Adoption

Regulatory Clarity

CTPP designation provides greater certainty for cloud adoption:

  • Standardized Approach: Consistent regulatory treatment across EU
  • Enhanced Confidence: Direct oversight provides additional assurance
  • Reduced Variability: Less divergence in national supervisory expectations
  • Streamlined Approvals: Potentially faster approval processes for cloud adoption

Contractual Considerations

Major cloud providers have been preparing DORA-compliant contract addendums:

  • Pre-approved DORA clauses available
  • Standardized audit rights and access provisions
  • Enhanced incident notification procedures
  • Improved data portability commitments

Preparing for CTPP Oversight

For Financial Institutions

Organizations should take these actions:

  1. Review Provider Relationships: Identify which of your providers may be designated as critical
  2. Update Contracts: Ensure agreements include DORA-required clauses
  3. Adjust Due Diligence: Adapt third-party risk management to account for ESA oversight
  4. Monitor Developments: Stay informed about designation decisions
  5. Document Reliance: Maintain clear records of how you rely on CTPPs

Communication with Providers

Engage with your ICT service providers to:

  • Understand their preparation for potential designation
  • Clarify how ESA oversight will affect service delivery
  • Discuss incident reporting coordination
  • Review audit and access rights implementation

Non-Critical Providers

Continued Entity Responsibility

For providers not designated as critical:

  • Financial institutions retain full third-party management responsibility
  • All DORA Pillar 4 requirements continue to apply
  • Enhanced due diligence may be necessary
  • Contractual obligations remain essential

Concentration Risk Implications

Consider diversification strategies:

  • Evaluate over-reliance on critical providers
  • Assess alternative provider options
  • Plan for potential disruptions to critical services
  • Test exit and contingency arrangements

Industry Collaboration

Information Sharing

The CTPP framework facilitates:

  • Incident Intelligence: ESAs can share information about CTPP incidents
  • Best Practices: Coordination on common challenges
  • Emerging Risks: Early warning of systemic threats
  • Regulatory Clarity: Consistent interpretation of requirements

Industry Working Groups

Participate in collaborative efforts:

  • Trade association initiatives on CTPP relationships
  • Peer learning forums on cloud compliance
  • Collective negotiation with major providers
  • Sharing of contract templates and due diligence approaches

Looking Ahead

Second Half 2025 and Beyond

Expected developments include:

  • October 2025: Finalization of CTPP designations after objection period
  • Q4 2025: Commencement of active oversight activities
  • 2026: First comprehensive ESA assessments of CTPPs
  • Ongoing: Annual review and potential updates to CTPP list

Market Evolution

The CTPP framework is likely to influence:

  • Market Consolidation: Potential advantages for designated providers
  • Service Innovation: Enhanced focus on resilience features
  • Pricing Models: Costs of compliance potentially reflected in fees
  • Geographic Expansion: EU-focused data centers and services

Key Takeaways

  • CTPP designations are progressing on schedule for late 2025
  • Major cloud and technology providers expected to be designated
  • Financial institutions benefit from direct ESA oversight of critical providers
  • Ongoing third-party management responsibilities remain essential
  • Prepare for the new oversight framework through contracts and due diligence
  • Maintain communication with providers about their compliance status
  • Consider concentration risk and diversification strategies

Conclusion

The implementation of CTPP oversight represents a significant milestone in DORA's operationalization. By establishing direct EU supervision of critical ICT service providers, the framework aims to enhance the resilience of the entire financial sector. Financial institutions should actively prepare for this new regulatory landscape by updating their third-party risk management approaches and engaging proactively with their critical service providers.