ESAs Publish First List of Critical ICT Third-Party Providers Under DORA: What It Signals for Software Supply Chains 

On 18 November 2025, the three European Supervisory Authorities – the EBA, EIOPA and ESMA (the “ESAs”) published the first official list of “critical ICT third-party providers” (CTPPs) under the EU Digital Operational Resilience Act (DORA). 

DORA has applied across the EU financial sector since January 2025. Among other things, it creates a new, centralised oversight regime for a small number of technology providers whose failure could have system-wide impact on banks, insurers, investment firms and market infrastructures.  

This first CTPP list is a milestone in that regime – and it tells us a lot about where regulators are heading on technology supply-chain resilience. 

 

What have the ESAs actually done? 

Under DORA, in-scope financial entities must maintain Registers of Information describing their ICT third-party arrangements – essentially, a structured view of which external providers support which critical or important functions. Competent authorities pass this data to the ESAs.  

The ESAs then followed a three-step process, set out in DORA: 

  1. Data collection 
    They gathered information from national supervisors on financial entities’ ICT contracts and dependencies (the “Registers of Information”). 

  2. Criticality assessment 
    Using DORA’s criteria, they assessed which ICT providers are “critical”, looking at:

    a. The systemic impact if the provider suffered a major outage; 

    b. The importance of the financial entities that rely on that provider;

    c. T    he degree of concentration (how many firms, in which sectors, depend on them); and

    d. T    he substitutability of the provider’s services (how hard it is to switch).

  3. Designation and publication 
    Providers assessed as critical were notified and given a chance to respond. After reviewing any representations, the ESAs finalised and published the list of designated CTPPs.  
  1.  

The oversight objective is clear: to make sure these providers have robust governance and risk-management frameworks, so that ICT disruptions at their level don’t cascade through the financial system.  

 

Who is on the list? 

The published list contains 19 designated CTPPs at EU level.  

It includes: 

  • Hyperscale cloud providers and major tech firms – e.g. Amazon Web Services EMEA, Google Cloud EMEA, Microsoft Ireland Operations, IBM, Oracle Nederland, SAP.  
  • Telecoms and network providers – e.g. Deutsche Telekom, Orange, Colt. 
  • Data centres and infrastructure specialists – e.g. Equinix (EMEA), InterXion.  
  • Financial-services specific technology and data providers – e.g. Bloomberg, LSEG Data and Risk, Fidelity National Information Services.  

These companies provide everything from core infrastructure and connectivity through to financial-sector-specific platforms and data services, and they support financial entities “of all types and sizes across the EU”, as the ESAs themselves put it.  

The list will be reviewed and updated annually.  

 

What changes for those providers? 

Designation as a CTPP means moving into a new direct oversight relationship with the ESAs: 

  • One of the ESAs acts as Lead Overseer, supported by joint examination teams.  
  • The Lead Overseer can conduct oversight activities, including information requests, risk assessments, and on-site inspections. 
  • CTPPs can be required to remediate weaknesses in areas like governance, ICT risk management, incident handling, and subcontractor oversight.  

Importantly, this does not replace financial entities’ own responsibilities for managing ICT risk, it sits on top of them. Banks, insurers and others still have to manage their third-party risk; now, the largest shared providers also face central supervisory scrutiny.  

 

ESMA’s wider strategic push on cyber-risk & digital resilience 

In parallel with the CTPP designations, ESMA has publicly announced that cyber-risk and digital resilience will drive its Union-wide supervisory priorities for 2026. 

In its 24 October 2025 press release, ESMA noted that it had made cyber risk and digital resilience a strategic supervisory priority from January 2025, directly aligned with DORA’s application. National Competent Authorities (NCAs) and ESMA itself have already engaged in supervisory work on firms’ ICT-risk management and digital resilience. ESMA calls for that supervisory momentum to continue. 

This emphasises three things: 

  • The focus on resilience is not just contractual or vendor-management-oriented: it is becoming a regulatory supervisory theme. 
  • It means firms and their vendors must be capable of demonstrating robust ICT continuity and incident-response frameworks, not just compliance checklists. 
  • It connects the designation of CTPPs with a broader shift: regulators are increasingly treating tech-infrastructure as integral to financial-system resilience, not just “nice-to-have”. 

 

Why this matters to software vendors, beneficiaries and legal teams 

Even though the first CTPP list focuses on a relatively small set of large global providers, the direction of travel is highly relevant to anyone involved in building, supplying or relying on software. 

  1. Regulated customers will care more about resilience

Financial entities caught by DORA must take a much deeper interest in their entire ICT supply chain. That inevitably flows down into: 

  • tougher due diligence on technology dependencies; 
  • more detailed questions about continuity and recoverability; 
  • greater scrutiny of what happens if a vendor fails or suffers a severe outage. 

For software vendors, that means conversations with regulated clients are less about “features only” and more about operational resilience. 

  1. Vendors will face growing expectations around continuity

DORA reinforces a simple idea: 

If your clients rely on your software, they remain accountable for its resilience – even if you run it. 

So over time, vendors can expect more requests for: 

  • clear explanations of hosting arrangements and key subcontractors; 
  • evidence of business continuity planning and disaster recovery; 
  • transparency about concentration risk (“are we all relying on the same cloud region / provider?”); 
  • better-defined access and fallback arrangements in extreme scenarios. 

These expectations may start with financial-sector clients, but they tend to leak into the wider market. 

  1. Legal teams will need to rethink contract structures

For lawyers advising either side of the relationship (vendors or customers), DORA and the CTPP regime push certain clauses up the agenda: 

  • Continuity obligations (what level of resilience is promised, and how is it demonstrated, tested and documented?) 
  • Exit and transition (how a client can move away or be supported during migration if something goes wrong) 
  • Subcontractor governance (what can be passed down the chain, and on what terms?) 
  • Rights of access to information or technical artefacts in serious disruption scenarios 
  • Remedies where a vendor becomes unable to perform due to insolvency, regulatory sanctions or a major outage 

Even where contracts aren’t explicitly “DORA contracts”, they will increasingly be read through an operational resilience lens. 

  1. Organisations will increasingly seek independent safety nets

End-users, especially those in regulated or high-risk sectors, are already asking: 

  • “What’s our plan if this vendor is offline for an extended period?” 
  • “Could a failure here put us at odds with our own regulator or board risk appetite?” 

Regulatory focus on supply-chain disruption makes these questions more urgent. That, in turn, strengthens interest in independent continuity mechanisms – arrangements that ensure business-critical systems and data can still be accessed or recovered, even if the vendor is unable (or unwilling) to provide them.                                                                                       

  1. Part of a global shift toward resilient technology supply chains

Finally, the CTPP list is not a one-off EU curiosity. It’s part of a wider global trend: 

  • Other jurisdictions (including the US and Australia) are tightening expectations around operational resilience, cyber-risk and third-party dependencies.  

Across the board, regulators are converging on the same message: 
Software supply chains must be resilient, not just functional. 

 

Where software escrow fits in 

All of this points in one direction: organisations are being pushed to take third-party software risk seriously and to demonstrate that they have thought about “what if?” scenarios.  

That’s exactly where software escrow and modern access-continuity solutions can support wider third-party risk arrangements, by giving beneficiaries and their advisers a clearer path to continuity of service if the unexpected happens to a key third-party supplier solution. 

If you’d like to talk about how software escrow can complement your DORA-driven third-party risk framework or your clients’ supply-chain resilience plans, our team would be happy to help.