Learn
If one of your ICT providers gets designated as a Critical Third-Party Provider, your compliance obligations just changed - even though you didn’t do anything differently. Here’s what you need to know.
Picture this. You arrive at work on a Monday morning. Coffee in hand. Inbox manageable. Then your head of vendor management sends you a link to a regulatory notice: one of your cloud infrastructure providers has been designated as a Critical Third-Party Provider (CTPP) by the ESAs under DORA Article 31.
Your first thought: “What does this mean for us?”
Your second thought, after reading the implications: “This is going to require a lot of work.”
Both thoughts are correct. The CTPP designation is one of the most consequential mechanisms in DORA, and it creates ripple effects that extend far beyond the designated provider itself. If you use that provider - and given which companies are likely to be designated, you probably do - you need to understand what’s coming.
What “Critical Third-Party Provider” Actually Means
Let’s start with the basics. DORA Article 31 establishes a framework for the ESAs to designate ICT third-party service providers as “critical” when they meet certain criteria related to systemic importance. This isn’t about whether the provider is important to you. It’s about whether they’re important to the financial system.
The designation criteria include:
Systemic impact of a disruption. If the provider experienced a major failure, would it affect the stability or continuity of financial services across the EU? The ESAs assess this by looking at how many financial entities depend on the provider and for which functions.
Number of financial entities served. Providers that serve a large number of financial entities - especially for critical or important functions - are more likely to be designated. The aggregated Register of Information data from across the sector feeds directly into this assessment.
Degree of substitutability. How easy would it be for the financial sector to replace this provider? If 200 banks depend on the same provider and there’s no realistic alternative, that’s a systemic concentration that the ESAs want to oversee directly.
Interconnectedness. Does the provider serve entities across multiple sectors (banking, insurance, investment), multiple jurisdictions, and multiple types of function? The more interconnected, the more systemic.
In plain terms: the ESAs are looking at the Register of Information data from thousands of financial entities and asking, “Which providers are so widely used and so deeply embedded that their failure would be a financial stability event?” Those providers get designated.
Who’s Likely to Get Designated (Let’s Be Honest About This)
The ESAs haven’t published the final list of CTPPs at the time of writing. But let’s be real about who the likely candidates are. You can probably guess them without reading any regulatory paper:
Major cloud infrastructure providers: AWS, Microsoft Azure, Google Cloud Platform. When a significant percentage of European banking infrastructure runs on three cloud platforms, those platforms are definitionally systemic.
Major enterprise software providers: Microsoft (for M365/productivity), Oracle, SAP. These companies provide critical business systems to a large portion of the financial sector.
Key financial market infrastructure providers: SWIFT, Bloomberg, Refinitiv. Providers of market data, messaging, and settlement infrastructure that the financial system cannot function without.
Specialised fintech infrastructure: Core banking system providers, payment processing platforms, and other specialised providers with high concentration among financial entities.
If you’re a European financial entity, you almost certainly use several of these. Which means the CTPP designation will affect you, even though the designation is on the provider, not on you.
The Oversight Framework: What Happens to Designated Providers
Direct ESA supervision - a regime that didn’t exist before DORA
This is genuinely unprecedented. Before DORA, ICT providers to the financial sector were not directly supervised by financial regulators. Your bank was supervised. Your provider was not. DORA changes that.
Once designated, a CTPP is subject to direct oversight by a Lead Overseer - one of the three ESAs (EBA, EIOPA, or ESMA), depending on the sectors the provider predominantly serves. The Lead Overseer has the power to:
Request information: Demand access to data, documentation, and reports from the provider about the services delivered to financial entities.
Conduct inspections: On-site inspections at the provider’s premises, including data centres and operational facilities.
Issue recommendations: Formal recommendations to the provider on security measures, risk management practices, and operational resilience standards.
Impose penalties: If the provider fails to comply with recommendations, the Lead Overseer can impose penalty payments. For non-EU providers, there are additional compliance requirements including potentially establishing an EU subsidiary.
This is significant for the providers. Companies that have never been subject to financial regulatory oversight - tech companies that think of compliance as SOC 2 reports and ISO certifications - are about to experience a very different kind of regulatory relationship. The ESAs can ask questions. They can show up. They can tell the provider to change how they operate. That’s a new world for companies accustomed to operating outside financial regulation.
What It Means for You as a Financial Entity
Here’s the part that catches most people off guard: CTPP designation doesn’t reduce your obligations. In some ways, it increases them.
You might think, “Great, the ESAs are now directly overseeing my cloud provider. That means I can worry less about third-party risk for that provider.” Wrong. Here’s why:
Your due diligence obligations don’t change
DORA Article 28 still requires you to perform ongoing due diligence on all ICT third-party service providers, including CTPPs. The ESA’s oversight complements your risk management - it doesn’t replace it. You still need to assess the risks, monitor the relationship, and maintain contractual protections.
Concentration risk becomes explicit
If you rely on a designated CTPP for critical functions, your NCA will expect you to have explicitly assessed and documented the concentration risk. What is your exposure if this provider fails? What are your alternatives? What’s your exit plan? The designation makes concentration risk visible and auditable. Your regulator will ask about it.
Exit strategies become mandatory
For services delivered by CTPPs that support critical or important functions, you must have credible exit strategies. Not theoretical. Credible. This means: identified alternative providers, estimated migration timelines, data portability plans, and contractual provisions that make exit feasible. For many firms, the honest assessment of their exit capability for hyperscale cloud providers is “18-36 months, at best.” Your regulator knows this. They want to see that you’ve at least thought about it seriously.
Contractual compliance is scrutinised more closely
Your contracts with CTPPs will receive heightened regulatory attention. Do they include all Article 30 provisions? Audit rights? Incident assistance obligations? Termination rights? Data portability? If your contract with a designated CTPP is missing these provisions, your NCA will notice - because the CTPP’s Lead Overseer is already looking at the provider-side of these arrangements.
RoI reporting takes on additional weight
Your Register of Information already captures your relationship with every ICT provider. For CTPPs, this data is particularly important because the ESAs use it to assess systemic concentration. Accurate, detailed, well-structured RoI data about your CTPP relationships isn’t just a compliance obligation - it’s an input into a sector-wide stability assessment.
The Non-EU Provider Question
Here’s where things get geopolitically interesting.
Most of the likely CTPPs - AWS, Microsoft, Google - are US companies. DORA requires that designated CTPPs either have an establishment within the EU or - if they don’t - must establish an EU subsidiary within 12 months of designation.
This is not a trivial requirement. It’s DORA’s way of ensuring that the Lead Overseer has jurisdictional reach over the provider. You can’t conduct on-site inspections at a company that has no legal presence in your jurisdiction. You can’t impose penalty payments on an entity that doesn’t exist under your legal system.
The major US cloud providers already have EU subsidiaries, so this may not be a practical barrier for them. But for smaller, specialised providers that serve the European financial sector from outside the EU, the requirement to establish an EU subsidiary could be significant - or they could choose to withdraw from the EU market rather than comply.
If one of your non-EU providers is designated and chooses not to comply with the subsidiary requirement, you face a provider that is both critical and non-compliant. That’s a scenario your exit planning needs to cover.
What to Do Right Now: A Practical Checklist
Whether your providers have been designated yet or not, these are the actions you should be taking:
1. Identify which of your providers are likely CTPP candidates. Look at your Register of Information. Which providers serve critical functions? Which are widely used across the sector? Which have no realistic alternative? These are your probable CTPPs.
2. Assess your concentration risk for each candidate. For each likely CTPP, document: what services they provide, which critical functions depend on those services, what percentage of your ICT budget they represent, and what your exposure would be if they experienced a major failure or withdrew from the EU market.
3. Develop or update exit strategies. Be realistic. An exit strategy that says “migrate to alternative provider within 6 months” for a core banking platform is not credible. An exit strategy that says “identify alternative providers, begin parallel architecture work, achieve full migration within 24 months with interim risk mitigants” is at least honest.
4. Review your contracts against Article 30. Specifically for likely CTPPs. Do you have audit rights? Data portability provisions? Termination rights with adequate transition periods? Incident notification obligations? If not, start the renegotiation now. It takes time.
5. Ensure your RoI data for these providers is complete and accurate. The ESAs will use aggregated RoI data to make designation decisions and to monitor ongoing concentration. Your data for these relationships should be detailed, current, and structured correctly. Platforms like Venvera make this considerably easier by maintaining the relational structure that the ESA’s xBRL-CSV format requires.
6. Brief your board. CTPP designation has implications that the management body needs to understand: increased regulatory scrutiny of third-party relationships, potential need for enhanced exit planning, and possible changes to the provider’s service delivery model as it adapts to oversight requirements. Don’t wait until designation happens to have this conversation.
The Silver Lining (Yes, There Is One)
Amidst all the additional obligations, there’s a genuine upside to the CTPP oversight framework.
For years, financial entities have struggled to get meaningful security and resilience information from their largest technology providers. You send a due diligence questionnaire; they send back a generic SOC 2 report. You request audit access; they point you to a shared assessment. You ask about their disaster recovery capabilities; they give you a marketing brochure.
Direct ESA oversight changes this dynamic. When a Lead Overseer conducts inspections and issues recommendations, the findings create a baseline of independent assurance about the provider’s operational resilience that individual financial entities could never achieve on their own. This information, while not publicly detailed, informs the sector’s understanding of provider risk.
The oversight also creates competitive pressure among providers. If one CTPP receives recommendations to improve its resilience practices and another doesn’t, that distinction becomes meaningful in procurement decisions. Over time, this should raise the bar for the entire ICT supply chain serving the financial sector.
It’s not a reason to relax your own due diligence. But it’s a genuine addition to the toolkit available for managing third-party ICT risk at a systemic level. And that’s something the financial sector has needed for a long time.
Designation Is Coming. Be Ready.
The CTPP designation process is underway. The ESAs are collecting data, assessing systemic importance, and preparing the first designations. When they happen, they’ll create immediate obligations for both the designated providers and the financial entities that use them.
The firms that have already mapped their critical dependencies, assessed their concentration risks, developed credible exit strategies, and maintained detailed RoI data will navigate this smoothly. They’ll update their risk assessments, adjust their board reporting, and move on.
The firms that haven’t will scramble. And scrambling is never a good look when your regulator is watching.
Map Your Critical Dependencies
Venvera’s Register of Information and ICT third-party risk modules help you track provider relationships, assess concentration risk, and maintain xBRL-CSV-ready data for CTPP-related reporting. Across 13 frameworks, starting at €399/month.
Get Prepared →Last updated: March 2026. CTPP designation criteria referenced from DORA Articles 31-44 and associated delegated regulations.