EU regulators designate critical ICT third-party providers under DORA

On 18 November 2025, the European Supervisory Authorities (ESAs) published a list of 19 critical information and communications technology (ICT) third-party providers (CTPPs) under the EU Digital Operational Resilience Act (DORA).

The list comprises of household names such as Amazon Web Services, Google Cloud, and Microsoft, alongside data centre operators, telecommunications providers, and specialist financial technology firms. Collectively, these organisations deliver a wide range of ICT services across the EU – from processing transactions and hosting customer data to providing market intelligence and connectivity infrastructure. The ESAs' designation process followed DORA's prescriptive methodology, which assesses systemic impact in the event of operational failure, the number and importance of dependent financial institutions, market concentration, and whether alternative providers could readily step in.

Why does this matter?

For the first time, designated providers will face a comparable level of regulatory scrutiny to their financial institution customers – including mandatory risk assessments, incident reporting requirements, and potential financial penalties for non-compliance. This aims to award further protections to the financial entities and organisations across the EU that rely heavily on their services and infrastructure, something that regulators are particularly focussed on in light of a number of recent major IT disruptions with Microsoft, AWS and Cloudflare as well as the Global Crowdstrike incident.

A new reality for Financial Services organisations

Whilst designated third-party providers will now face direct regulatory scrutiny, financial institutions cannot treat this as a substitute for their own due diligence and risk management obligations. Firms remain fully accountable for ensuring their outsourcing arrangements meet DORA's standards, regardless of whether their vendor is now supervised by the ESAs. In practice, this means financial entities must continue to negotiate robust contractual protections, conduct their own risk assessments, and maintain detailed contingency plans.

The designation may however create new friction: technology providers could argue that regulatory oversight reduces the need for customer-imposed controls, potentially resisting audit rights or exit provisions on the grounds that regulators are already monitoring their resilience. This is similar to the case with GDPR when processors began to push back on requirements citing that were also under the remit of the regulations.

Perhaps most significantly, regulators retain the power to compel financial institutions to suspend or even terminate their use of a designated provider if identified risks remain unaddressed – underscoring that responsibility continues to sit with the regulated firm, not the third-party provider.

Contractual implications

Financial institutions should not expect the designation to ease their contractual negotiations with technology providers. The most contentious areas –subcontracting controls, comprehensive audit rights, and detailed exit provisions – are likely to remain heavily disputed and difficult to secure, particularly where providers operate standardised service models across multiple customers.

There is no immediate prospect of a regulatory "safe harbour" or standardised contractual framework that would allow firms to rely on the ESAs' oversight in place of individual contractual protections. Instead, firms must redouble their efforts to ensure both existing and future contracts contain the provisions DORA mandates: clear service level commitments, data portability mechanisms, business continuity obligations, and termination rights that can be exercised without penalty if regulators require it.

Importantly, the designation of these 19 providers does not diminish the obligations of non-designated technology vendors – they too should aim to meet the contractual standards DORA imposes on financial institutions. Firms should not assume that smaller or specialist providers face lighter requirements. Financial organisations and technology companies should act now to review the list and align their sourcing and third-party risk frameworks accordingly.

What's next for the UK?

As DORA continues to set new standards for resilience, risk management, and governance in the technology sector, UK financial institutions are likely to begin expecting similar standards from their UK technology providers, even where not legally required.

Note for UK Payment Service firms: Firms may also need to manage dual incident reporting processes in the UK in relation to payment services. The FCA does not intend to repeal incident reporting requirements under SUP 15.14 so firms may need to make two separate notifications where a payment services major incident also meets the threshold for a reportable operational incident.

Whilst no designations have yet been made in the UK, the UK's parallel critical third party (CTP) regime is expected to mirror DORA's approach. According to an HM Treasury meeting early November 2025, initial designations are anticipated within the next 12 months. The EU's list provides a strong indication of which providers UK authorities are likely to target.

Authors: Roni Rossa and Dan Read

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at December 2025. Specific advice should be sought for specific cases. For more information see our terms & conditions.