ESAs designate critical ICT third-party providers under DORA
29 Dec 2025
|
On 18 November 2025, the European Supervisory Authorities (EBA, EIOPA, and ESMA) officially designated critical Information & Communication Technology (ICT) third-party providers (CTPPs) under the Digital Operational Resilience Act (DORA). This milestone strengthens the EU's financial sector's operational resilience by ensuring robust oversight of key ICT service providers.
Key highlights:
Role of CTPPs:
- These providers deliver essential ICT services, including infrastructure, business, and data services, to financial entities across the EU.
- They have a pivotal role in maintaining the financial ecosystem's stability.
Objective of the DORA Oversight framework:
- Promote the sound management of ICT risk by the critical providers through direct oversight engagement
- The DORA framework mandates the European Supervisory Authorities to oversee CTPPs, ensuring they implement effective risk management and governance practices.
- This oversight aims to mitigate ICT risks and safeguard the EU financial sector's operational resilience.
The European Supervisory Authorities will continue engaging with designated CTPPs through ongoing examinations to uphold these standards.
For further details, refer to ESMA’s news release, here and the List of Designated CTPPs, here
Key contacts
+- Related content
Regulatory Blog
ESMA launches Call for Evidence on European equity market structure: Key takeaways for market participants
Regulatory Blog
JFSC launches consultation on Phase 1 updates to the Bank Licensing Policy
Regulatory Blog
UK significantly ramps up Russia trade sanctions (May 2026): What you need to know