The European Supervisory Authorities (EBA, EIOPA, and ESMA) have officially released the list of 19 ICT third-party service providers now designated as “Critical” (CTPPs) under the Digital Operational Resilience Act (DORA).
This designation represents a major milestone in the enforcement of the regulation. It signals a fundamental shift from supervising financial institutions alone to extending direct EU-level oversight to the external technology and infrastructure providers that underpin the financial sector’s operational resilience.
The Designated Providers The critical ICT third-party service providers designated at the Union level are:
| Accenture plc | InterXion HeadQuarters B.V. |
| Amazon Web Services EMEA Sarl | Kyndryl Inc. |
| Bloomberg L.P. | LSEG Data and Risk Limited |
| Capgemini SE | Microsoft Ireland Operations Limited |
| Colt Technology Services | NTT DATA Inc. |
| Deutsche Telekom AG | Oracle Nederland B.V. |
| Equinix (EMEA) B.V. | Orange SA |
| Fidelity National Information Services, Inc. (FIS) | SAP SE |
| Google Cloud EMEA Limited | Tata Consultancy Services Limited |
| IBM Corporation |
Understanding the Scope Reflecting the diversity of services essential to financial stability, the list covers a broad spectrum of the ICT ecosystem. While specific contractual arrangements remain confidential, the designated providers operate across four key domains:
- Hyperscalers & Cloud Infrastructure: Providers of regulated cloud hosting, AI/ML services, and data platforms supporting core financial workloads.
- Data, Trading & Core Platforms: Entities supplying critical real-time market data, pricing analytics, and core banking or trading technologies.
- Consulting & Managed Services: Firms driving digital transformation, application maintenance, and managed cybersecurity services.
- Connectivity & Data Centers: Providers responsible for low-latency trading links, colocation, and physical infrastructure.
Implications for Luxembourg For the Luxembourg financial center, this announcement raises specific practical considerations. Several of the designated international groups operate local entities authorized as Support PSFs.
As the DORA oversight model matures, key questions regarding regulatory coordination are emerging:
- Local vs. EU Scope: To what extent will the direct supervision of a CTPP by the Joint Oversight Network (JON) extend to its Luxembourg-authorized entities?
- Supervisory Coordination: How will the JON coordinate its activities with the CSSF to ensure efficient oversight without duplication?
Looking Ahead: Registers of Information For financial entities, this list offers immediate practical value. While the first DORA Registers of Information (ROIs) submitted earlier this year were often a “best-effort” baseline, the official CTPP list provides a clearer signal of the scope and granularity required for future reporting cycles.
Learn More You can view the full press release from the European Banking Authority here.