In November 2025, the European Supervisory Authorities — EBA, ESMA, and EIOPA — published the first official list of Critical ICT Third-Party Providers (CTPPs) under DORA. It was one of the most anticipated milestones of the regulation. For years, financial entities and their technology vendors had been asking the same question: which providers will be designated, and what happens when they are?
Now the list exists. The oversight regime is live. And every compliance team that relies on a hyperscaler, major data vendor, or core technology integrator needs to understand what this changes — and what it does not.
What Is a CTPP and Why Does Designation Matter?
DORA Article 31 empowers the ESAs to designate ICT third-party service providers as "critical" when their failure or disruption could have systemic consequences for the EU financial sector. The designation triggers a new layer of EU-level oversight that did not previously exist for technology vendors: direct examination by Joint Oversight Teams, the power to issue binding recommendations, and — in cases of serious non-compliance — the ability to require financial entities to suspend or terminate their contracts with the provider.
Before DORA, a cloud provider or software vendor serving EU banks was largely outside the reach of financial regulators. They could be subject to general cybersecurity rules under NIS2, but direct financial services supervision was not part of their reality. DORA changes that for those on the list.
For financial entities, the significance is different but equally real. If your provider is designated, you now share a compliance relationship with it. The adequacy of your Article 30 contracts, the completeness of your Register of Information entry for that provider, and the credibility of your exit plan under Article 28(8) are all now directly relevant to how supervisors assess your own DORA posture.
What Types of Providers Made the CTPP List?
The ESAs built the list using data from the first round of Register of Information submissions and a structured criticality assessment. The emphasis was on providers whose failure would affect the most financial entities, whose services support the most critical functions, and who would be hardest to replace quickly.
The published list includes:
- Hyperscale cloud providers — the major public cloud platforms used for compute, storage, and managed services across the financial sector
- Data centre providers — operators of co-location and managed hosting infrastructure that underpin trading, payments, and core banking systems
- Core financial technology vendors — providers of payment infrastructure, market data feeds, and enterprise platforms used across multiple institution types
- Specialist ICT integrators — firms providing managed network, security operations, and IT services to significant numbers of regulated entities
The ESAs have been clear that the list will be updated. Further designation rounds are expected. Providers not currently on the list can also apply for voluntary designation if they want to participate in the oversight framework.
What Happens to a Designated CTPP?
Each designated provider is assigned a Lead Overseer — one of the three ESAs — based on the primary sector of the financial entities it serves. A Joint Examination Team is then formed, drawing on staff from the lead ESA, relevant national competent authorities, and where applicable, the provider's NIS2 supervisors.
The oversight activities work like this:
General investigations — the Lead Overseer can request documents, conduct interviews, and examine the provider's ICT risk governance, security controls, incident response procedures, and sub-outsourcing arrangements. On-site inspections — supervisors can visit the provider's premises, inspect its systems, and test its processes in practice. Designated providers must grant full access. Recommendations and remediation plans — if the oversight team identifies deficiencies, it issues recommendations with a compliance deadline. Failure to address serious deficiencies can trigger periodic penalty payments of up to 1% of average daily global turnover, applied daily for up to six months. Last resort: termination orders — in the most serious cases, NCAs can require financial entities under their jurisdiction to suspend or terminate their arrangements with a non-compliant provider. This power is significant precisely because it is a credible deterrent, even when it is rarely used.What Financial Entities Using a Designated Provider Need to Do Now
Your direct DORA obligations do not change because your provider has been designated. You still need a compliant Article 30 contract, an accurate Register of Information entry, and a documented exit plan.
What changes is the supervisory context. When a Joint Examination Team engages with your CTPP, it will review contractual arrangements with financial entities as part of that assessment. If your contract is missing mandatory Article 30 clauses — audit rights, incident notification obligations, sub-processor transparency, exit cooperation — that gap is now visible at ESA level, not just to your own NCA.
Here are the practical steps to take now.
Review your Article 30 contracts with any designated provider. The eight mandatory elements under Article 30(2) — clear service descriptions, sub-processor lists, audit rights, data location, incident notification, business continuity cooperation, termination rights, and exit assistance — must all be present. Many contracts signed before DORA was finalised will need amendment. Check your Register of Information entries. The entry must capture the full scope of services, the criticality assessment for each service, the sub-outsourcing chain, and the LEI identifiers for all entities involved. Gaps in these entries are now more consequential than before designation. Revisit your exit plans. Article 28(8) requires a documented exit strategy for ICT providers supporting critical or important functions. For a designated CTPP, this document will receive close scrutiny. A credible exit plan covers migration timelines, data portability provisions, contractual exit assistance obligations, and the operational dependencies that would need to be addressed during a transition. "We would switch to a different cloud provider" is not a credible exit plan. Designate an internal owner for the oversight relationship. The Joint Examination Team may contact financial entities directly as part of its work. Having a named person briefed on your contractual and operational posture with the provider is basic operational readiness.Sub-Contractor Chains: A Key Area of Scrutiny
One area the ESA oversight process will probe closely is sub-outsourcing. Your designated CTPP may itself rely on other ICT providers to deliver the services you use. DORA requires your contract to include visibility into that chain, and the oversight process will examine whether the CTPP has adequate oversight of its own sub-contractors.
For your Register of Information, this means sub-outsourcing rows must be accurate and complete. If your CTPP uses a significant sub-processor whose failure could affect the services you rely on, that dependency must be documented. The 2024 ESA dry-run showed that sub-contractor documentation was among the most common sources of validation errors. With designated providers now under direct oversight, incomplete sub-contractor data is a more visible problem.
What About Providers Not on the DORA CTPP List?
A provider not appearing on the current list does not mean it is outside DORA's scope. Your obligations under Articles 28 and 30 apply to all ICT third-party arrangements that support critical or important functions, regardless of CTPP designation. The CTPP regime adds EU-level oversight for the most systemically significant providers — it does not reduce your obligations toward the rest.
For non-designated providers, your NCA remains the relevant supervisory channel. NCAs will continue reviewing your third-party risk management practices using your Register of Information submissions and any independent examinations or document requests they conduct.
The CTPP Framework Is Designed to Be Self-Reinforcing
One of the more consequential aspects of the designation system is that it creates incentives that reach beyond the designated providers themselves. Financial entities that use CTPPs now have a direct interest in those providers maintaining good governance and cooperating with oversight — because a serious enforcement action against a provider could ultimately require renegotiated contracts, built-out exit capability, or a demonstration to their own NCA that concentration in a non-compliant supplier has been addressed.
This is the systemic logic of the regime. DORA is not designed to police cloud providers for their own sake. It is designed to make the EU financial system more resilient by ensuring that the ICT infrastructure it depends on is subject to scrutiny proportionate to the risk it carries.
The first CTPP list is a beginning, not an endpoint. Further designation rounds will follow, oversight activities are now underway, and the data gathered through Joint Examination Teams will inform both future designations and the broader development of DORA's technical standards.
If you use a provider that has been designated, there is one question worth sitting with: if your NCA asked you today to demonstrate that your arrangement with that provider is fully DORA-compliant, how confident would you be in your answer?