The European Supervisory Authorities designate critical ICT third-party providers under the Digital Operational Resilience Act

Digital Finance and Innovation
18/11/2025

The European Supervisory Authorities (EBA, EIOPA, and ESMA – the ESAs) publish today the list of designated critical ICT third-party providers (CTPPs) under the Digital Operational Resilience Act (DORA). This designation marks a crucial step in the implementation of the DORA oversight framework. 

The list of the CTPP designated by the ESAs is accessible through this link

The designation process followed the methodology mandated by DORA. 

First, the ESAs collected data from the Registers of Information maintained by financial entities, which detail their contractual arrangements for ICT services. 

Second, the ESAs conducted a detailed criticality assessment in cooperation with the Competent Authorities (CAs) across the EU from the banking, insurance and pensions, and securities and markets sectors. This assessment was carried out in line with the multifaceted criteria set out in DORA, which required a complete evaluation of a provider’s systemic importance, its role in supporting critical or important functions for financial entities, and the level of substitutability of its services. 

Third, ICT third-party providers assessed as critical were formally notified, after which they benefitted from their right to be heard by providing a reasoned statement. The final designation decisions were adopted following a careful review of all relevant information, ensuring the integrity of the process.

The designated CTPPs provide a range of ICT services (e.g. from core infrastructure to business and data services) to financial entities of all types and sizes across the European Union, reflecting their pivotal role within the financial ecosystem.

The objective of the DORA Oversight Framework, mandated to the ESAs, is to promote the sound management of ICT risk by the critical providers. Through direct oversight engagement, the ESAs will assess whether CTPPs have appropriate risk management and governance frameworks in place to ensure the resilience of the services they deliver to financial entities. This serves to mitigate risks that could impact the operational resilience of the financial sector of the EU.

The ESAs will keep engaging with CTPPs in the course of upcoming examination activities.

 

Further information:

Cristina Bonillo

Senior Communications Officer
press@esma.europa.eu

Related Documents
Date Reference Title Download Select
18/11/2025
List of designated CTPPs
 List of designated CTPPs
More on the same topic
New Q&As available
17/10/2025

The European Securities and Markets Authority (ESMA), the EU's securities markets regulator, has published or updated the following Questions and Answers:

New Q&As available
18/07/2025

The European Securities and Markets Authority (ESMA), the EU's securities markets regulator, has published or updated the following Questions and Answers:

More