Tech providers designated for DORA regulation

EU regulators the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA) – together, the European supervisory authorities (ESA) – have designated 19 providers of ICT services as ‘critical ICT third-party providers’ (CTTPs) for the purposes of DORA regulation.

The list includes telecommunication providers such as Orange and Deutsche Telekom, data service providers such as Bloomberg and NTT, and cloud providers Amazon, Google, Microsoft, Oracle and SAP.

DORA came into force on 17 January 2025. While many of its rules apply to regulated entities within the EU’s financial service sector, such as credit institutions and insurers, the legislation also provides for the pan-European oversight of CTPPs.

DORA specifies how CTPPs are to be designated. It is this process that has now completed.

In a joint statement, the ESAs said: “The designated CTPPs provide a range of ICT services (e.g. from core infrastructure to business and data services) to financial entities of all types and sizes across the European Union, reflecting their pivotal role within the financial ecosystem.”

“Through direct oversight engagement, the ESAs will assess whether CTPPs have appropriate risk management and governance frameworks in place to ensure the resilience of the services they deliver to financial entities. This serves to mitigate risks that could impact the operational resilience of the financial sector of the EU. The ESAs will keep engaging with CTPPs in the course of upcoming examination activities,” the regulators said.

CTTPs face a series of requirements under DORA, including around incident management and reporting.

All businesses covered by DORA must confirm that they can withstand and manage a wide range of ICT disruptions and cyber threats and comply with uniform requirements for the security of network and information systems.