Banking & Fintech /

ESAs publish the first list of critical ICT third-party providers under DORA

On 18 November 2025, the European Supervisory Authorities – EBA, EIOPA and ESMA (ESAs) – published the first list of Critical ICT Third-Party Providers (CTPPs) designated under the Digital Operational Resilience Act (DORA). The publication marks the transition to the operational phase of the new EU-level oversight framework targeting technology providers essential to the stability and resilience of the financial sector.

On 18 November 2025, the European Supervisory Authorities - EBA, EIOPA and ESMA (ESAs) - published the first list of Critical ICT Third-Party Providers

New oversight of ICT providers – purpose and significance

According to ESMA, the objective of the DORA Oversight Framework is to ensure that critical ICT providers maintain robust risk-management structures, cybersecurity standards and operational-resilience capabilities. The ESAs will exercise direct oversight, including the assessment of governance arrangements, ICT risk-management processes and the providers’ ability to deliver services under disruption scenarios. The ESAs have also announced upcoming examination activities involving the designated providers.

Recommendation for financial institutions

In view of the publication of the first CTPP list and the further supervisory activities announced by ESMA, we recommend that financial institutions regularly monitor ESAs’ communications regarding the supervisory status and DORA compliance of critical ICT providers. Ongoing monitoring of updates to the CTPP list will support effective management of technology-concentration risks and enable institutions to enter into or update contractual arrangements with providers subject to ESAs’ oversight in line with current security and operational-resilience standards.

Ongoing monitoring of updates to the CTPP list will support effective management of technology-concentration risks and enable institutions to enter into or update contractual arrangements with providers subject to ESAs’

List of designated Critical ICT Third-Party Providers (CTPPs)

(alphabetically, as per ESMA document)

List_of_designated_CTPPs

  • Accenture plc
  • Amazon Web Services EMEA Sàrl
  • Bloomberg L.P.
  • Capgemini SE
  • Colt Technology Services
  • Deutsche Telekom AG
  • Equinix (EMEA) B.V.
  • Fidelity National Information Services, Inc.
  • Google Cloud EMEA Limited
  • International Business Machine Corporation (IBM)
  • InterXion Headquarters B.V.
  • Kyndryl Inc.
  • LSEG Data and Risk Limited
  • Microsoft Ireland Operations Limited
  • NTT DATA Inc.
  • Oracle Nederland B.V.
  • Orange S.A.
  • SAP SE
  • Tata Consultancy Services Limited

ESAs Publish First List of Critical ICT Providers Under DORA

The European Supervisory Authorities (ESAs) have announced the first list of Critical ICT Third-Party Providers (CTPP) under DORA, introducing new oversight for companies crucial to the operational resilience of the financial sector. Financial institutions should regularly monitor the status of these providers and adjust contracts to meet DORA standards.

Want to effectively manage technology concentration risks and ensure DORA compliance? Contact us – we’ll help you implement the right ICT oversight and security procedures.

Author team leader D&P Legal Mateusz Bałuta
Contact our expert
Write an inquiry: [email protected]
check full info of team member: Mateusz Bałuta

Contact us

Flaga Polski.POZNANPOLAND
pl. W. Andersa 3
61-894 Poznań
+48 61 853 56 48[email protected]
Flaga Polski.WARSAWPOLAND
Rondo ONZ 1
00-124 Warsaw
+48 22 300 16 74[email protected]
Flaga Polski.KRAKOWPOLAND
Opolska 110
31-355 Kraków
+48 61 853 56 48[email protected]
Flaga Polski.ZIELONA GÓRAPOLAND
Jana Sobieskiego 2/3
65-071 Zielona Góra
+48 61 853 56 48[email protected]
Flaga Włoch.MILANITALY
Via F. Sforza 15
20122 Milan
+48 61 853 56 48[email protected]
See all local services