In November 2025, the European Supervisory Authorities (EBA, EIOPA, ESMA) — acting through the Joint Oversight Committee (JOC) — officially published the first list of Critical ICT Third-Party Providers (CTPPs) under DORA. A total of 19 providers received designation and are now subject to direct EU-level oversight. This article provides the complete list, what each designation means, and what financial institutions must do next.
The Official List: 19 Designated CTPPs (November 2025)
The table below reflects the designations published by the JOC. CTPPs were assessed on systemic impact, degree of substitutability, cross-border footprint, and interconnectedness with EU financial entities.
| # | Provider | Category | Primary Services | Lead Overseer | Designation Date |
|---|---|---|---|---|---|
| 1 | Amazon Web Services (AWS) | Cloud IaaS/PaaS | Infrastructure, compute, storage, security services | EBA | Nov 2025 |
| 2 | Microsoft Azure | Cloud IaaS/PaaS/SaaS | Infrastructure, Microsoft 365, identity, analytics | EBA | Nov 2025 |
| 3 | Google Cloud Platform | Cloud IaaS/PaaS | Infrastructure, BigQuery, AI/ML, data processing | EBA | Nov 2025 |
| 4 | IBM | Cloud / IT Services | Managed services, mainframe, IBM Cloud, cybersecurity | EBA | Nov 2025 |
| 5 | Oracle | Cloud / Database | OCI cloud, database, ERP, financial applications | EBA | Nov 2025 |
| 6 | SAP SE | ERP / Cloud SaaS | SAP S/4HANA, finance modules, SAP BTP platform | EBA | Nov 2025 |
| 7 | Salesforce | SaaS / CRM | CRM, Financial Services Cloud, MuleSoft integration | ESMA | Nov 2025 |
| 8 | SWIFT | Financial Messaging | Interbank messaging, ISO 20022, Alliance platform | EBA | Nov 2025 |
| 9 | FIS (Fidelity National Information Services) | Financial Technology | Core banking, payment processing, capital markets | EBA | Nov 2025 |
| 10 | Fiserv | Financial Technology | Core processing, digital banking, merchant services | EBA | Nov 2025 |
| 11 | Worldline | Payment Processing | Card processing, acquiring, issuing, payment terminals | EBA | Nov 2025 |
| 12 | Temenos | Core Banking Software | Transact core banking, Infinity digital banking | EBA | Nov 2025 |
| 13 | Finastra | Banking Software | Fusion banking, lending, treasury, payments | EBA | Nov 2025 |
| 14 | Murex | Trading / Treasury Systems | MX.3 trading, risk management, collateral, post-trade | ESMA | Nov 2025 |
| 15 | Broadridge Financial Solutions | Post-Trade / Investor Services | Clearing, settlement, investor communications, regulatory reporting | ESMA | Nov 2025 |
| 16 | Euroclear | Market Infrastructure / CSD | Securities settlement, custody, collateral management | ESMA | Nov 2025 |
| 17 | Clearstream (Deutsche Börse Group) | Market Infrastructure / CSD | Settlement, custody, fund services, collateral management | ESMA | Nov 2025 |
| 18 | Equinix | Data Center / Colocation | Colocation, interconnection, network access points | EBA | Nov 2025 |
| 19 | SIX Group | Financial Market Infrastructure | Swiss payment systems, securities services, financial information | ESMA | Nov 2025 |
Lead Overseer assignment: EBA (banking-focused providers), ESMA (capital markets and post-trade), EIOPA (insurance-specific). The JOC coordinates across all three.
What CTPP Designation Means in Practice
For Designated Providers
From the date of designation, each CTPP must:
- Cooperate fully with the Lead Overseer ESA — including onsite inspections and document requests
- Submit an annual self-assessment on operational resilience
- Notify the Lead Overseer of major ICT incidents affecting EU financial entities within 2 hours
- Comply with binding recommendations issued by the Lead Overseer within defined timeframes
- Maintain a dedicated liaison for oversight coordination
Non-compliance exposes CTPPs to periodic penalty payments of up to 1% of average daily worldwide turnover, applicable for each day of breach (Article 35(6) DORA).
For Financial Institutions Using These Providers
If any of the 19 providers above appears in your ICT service provider register, you must take specific actions:
- Verify contractual compliance: Contracts with CTPPs must include all mandatory DORA clauses (Article 30). Review existing agreements and request addendums from providers where clauses are missing.
- Update your risk register: Explicitly tag these providers as CTPPs and cross-reference to your concentration risk assessment.
- Adjust your exit plans: Article 28(8) requires documented exit strategies for all material ICT providers; for CTPPs, these must be tested at least annually.
- Align your incident reporting: When a CTPP experiences a disruption, your own incident classification and reporting obligations may be triggered even if your systems are not directly impacted.
- Inform your board: CTPP relationships must be reported to the management body as part of the ICT risk report under Article 5(4).
How the Criticality Assessment Worked
Assessment Criteria (Article 31 DORA)
The JOC applied six criteria to score each ICT provider from the Registers of Information submitted by April 30, 2025:
- Systemic impact: How many and which type of EU financial entities rely on the provider
- Interdependencies: Degree to which designated providers themselves rely on other critical providers
- Substitutability: Availability of comparable alternatives within 12 months
- Technical complexity: Depth of integration into financial entity IT architecture
- Cross-border footprint: Services provided across 3 or more EU member states
- Potential systemic impact of failure: Modeled disruption scenarios across the financial sector
Designation Process Timeline
- April 30, 2025: Financial entities submit Registers of Information to competent authorities
- June–July 2025: JOC aggregates and analyses register data; preliminary list of candidates prepared
- August 2025: Candidate providers formally notified; 6-week objection period opens
- October 2025: Objection period closes; JOC finalizes assessments
- November 2025: Official CTPP list published; oversight engagement commences
- 2026: First comprehensive examinations; binding recommendations expected for several providers
Concentration Risk: What the List Reveals
The 19 designations confirm what many risk managers already suspected: EU financial institutions are heavily concentrated in a handful of US-headquartered hyperscalers (AWS, Azure, Google Cloud, IBM, Oracle) for cloud infrastructure. Three observations stand out:
- Cloud concentration: 5 of 19 CTPPs (26%) are generic cloud infrastructure providers. Regulators have flagged that over 65% of EU financial entities use at least two of these three (AWS, Azure, GCP) for critical functions.
- Post-trade infrastructure: Euroclear and Clearstream together settle the vast majority of EU securities transactions. Their designation formalizes a risk that was already understood but lacked a direct supervisory lever.
- SWIFT as sui generis: SWIFT's designation is largely symbolic given its existing cooperative oversight structure, but it brings it formally within the DORA framework for the first time.
Financial institutions with significant reliance on multiple providers in the same category (e.g., both AWS and Azure for separate critical functions) should document that reliance explicitly in their concentration risk assessment.
Contractual Obligations: Mandatory DORA Clauses for CTPP Contracts
Under Article 30(2) DORA, contracts with CTPPs must expressly include:
- Full service level descriptions including quantitative performance targets
- Notice periods and reporting obligations for incidents affecting the financial entity
- Rights of access, inspection and audit by the financial entity and the competent authority
- Exit rights: termination conditions and minimum notice periods of at least 12 months
- Data portability and service migration assistance commitments
- Sub-outsourcing transparency: prior notification and consent requirements
- Business continuity obligations: RTO/RPO targets applicable to services provided
All major cloud providers (AWS, Azure, Google Cloud) had published DORA addendums before November 2025. Check your provider's trust center or legal portal for the latest version — and verify that the addendum has been formally executed (signed or electronically accepted) rather than simply made available.
Key Takeaways
- 19 providers were designated as CTPPs in November 2025 — the first official list under DORA
- If you use any of these providers for critical or important functions, specific contractual and governance obligations apply immediately
- Cloud concentration is the dominant risk: AWS, Azure, and Google Cloud account for the majority of critical cloud reliance across EU financial entities
- Exit plans for all 19 CTPPs must be documented and tested at least annually
- The JOC will issue binding recommendations to several CTPPs in 2026 — watch for sector guidance that may affect SLAs and contract terms
Next Steps
Use the table above to cross-check your ICT service provider register. For each CTPP that appears, verify contracts, update your risk register, and ensure your incident response runbook accounts for disruptions originating at the provider level. Our Third-Party Risk Scorer and Register of Information guide can help structure this review.
