Breaking: ESAs Publish First List of Critical ICT Third-Party Providers Under DORA

In a landmark development for DORA compliance, the European Supervisory Authorities (ESAs) have published the first official list of Critical ICT Third-Party Service Providers (CTPPs) on November 18, 2025. This designation marks a major milestone in operationalizing DORA's third-party risk regime.

What Are Critical Third-Party Providers (CTPPs)?

Under DORA, CTPPs are ICT service providers whose failure or disruption could pose systemic risk to the financial sector. The ESAs designation brings these providers within a new, EU-level system of direct oversight.

Criteria for CTPP Designation

The ESAs designated providers based on several factors:

• Systemic importance: The potential impact on financial stability if services are disrupted
• Substitutability: How easily services can be replaced by alternatives
• Number of financial entities served: The breadth of the provider's client base in the EU financial sector
• Interconnectedness: Dependencies between the provider and critical financial infrastructure

Who Made the List?

The ESAs explain that the designated CTPPs deliver a range of ICT services - from core infrastructure to business and data services - to financial entities of all types and sizes across the EU.

Notable Designations

Amazon Web Services (AWS) has been officially designated as a Critical Third-Party Provider. According to AWS's official statement, they will now participate in a formal oversight process designed to promote a deeper understanding of how cloud technologies enhance the resilience of the financial services industry.

Other major cloud providers and critical ICT service providers have also been designated, covering:

• Cloud infrastructure providers
• Core banking platform vendors
• Payment processing services
• Data analytics and business intelligence platforms
• Cybersecurity service providers

What Does CTPP Designation Mean?

For the Designated Providers

CTPPs are now subject to direct ESA oversight, which includes:

• Regulatory examinations: Regular assessments of risk management and governance frameworks
• On-site inspections: Physical audits of operations and security controls
• Information requests: Mandatory reporting to supervisory authorities
• Recommendations and penalties: ESAs can issue binding recommendations and impose sanctions

For Financial Institutions

If your organization uses a designated CTPP, you must:

• Review existing contracts: Ensure all DORA-required clauses are in place
• Update risk assessments: Document the criticality of CTPP services
• Strengthen monitoring: Implement continuous oversight of CTPP performance
• Prepare exit strategies: Maintain documented and tested exit plans
• Report to authorities: Include CTPP relationships in your Register of Information

The ESA Oversight Framework

This designation follows the ESAs' publication of their supervisory approach in the July 2025 guide on CTPP oversight. The framework establishes:

Risk Assessment Process

The ESAs will assess whether CTPPs have appropriate:

• Risk management frameworks
• Governance structures
• Business continuity plans
• Incident response capabilities
• Security controls and testing programs

Ongoing Supervision

The oversight regime includes:

• Annual risk assessments
• Regular dialogue with CTPP management
• Coordination with national competent authorities
• Information sharing across the EU

Timeline and Key Dates

Impact on Financial Institutions

Immediate Actions Required

1. Identify CTPP relationships: Review your ICT provider inventory against the published list
2. Contract compliance check: Verify DORA-compliant clauses are in all CTPP agreements
3. Risk assessment update: Reassess concentration risk and dependencies
4. Board reporting: Inform management body of CTPP designations affecting your institution
5. Register of Information: Update your regulatory submissions to reflect CTPP status

Strategic Considerations

Financial institutions should consider:

• Multi-cloud strategies: Reducing concentration risk by diversifying providers
• Exit planning: Developing robust transition capabilities
• Contract negotiations: Leveraging CTPP status in service level discussions
• Collaboration: Working with CTPPs on compliance documentation

What This Means for Cloud Adoption

The CTPP designation should not be viewed as a barrier to cloud adoption. In fact, AWS has stated that they view the designation as an opportunity to demonstrate how cloud technologies enhance - rather than threaten - operational resilience.

Benefits of Using Designated CTPPs

• Regulatory clarity: Clear oversight framework reduces compliance uncertainty
• Enhanced security: CTPPs must meet stringent ESA requirements
• Industry standards: Designated providers set benchmarks for ICT service delivery
• Audit efficiency: ESA oversight may reduce individual audit burden

Penalties for Non-Compliance

Organizations failing to properly manage CTPP relationships face significant consequences:

• Financial penalties: Up to 2% of annual global turnover
• Individual liability: Personal fines up to EUR 1 million for senior management
• Operational restrictions: Regulators may impose business limitations
• Reputational damage: Public disclosure of compliance failures

Next Steps for Your Organization

To ensure compliance with DORA's CTPP requirements:

1. Download the ESA list: Review the full list of designated CTPPs on the ESA website
2. Conduct impact assessment: Identify which CTPPs you rely on
3. Review contracts: Ensure DORA-compliant clauses are in place
4. Update risk frameworks: Integrate CTPP oversight into your ICT risk management
5. Engage with providers: Coordinate compliance efforts with your CTPPs
6. Document everything: Maintain comprehensive records for regulatory review