Regulatory Updates

ESAs Designate First 19 Critical ICT Third-Party Providers (CTPPs) under DORA

November 18, 2025

The European Supervisory Authorities (EBA, EIOPA, and ESMA) have officially released the list of 19 ICT third-party service providers now designated as “Critical” (CTPPs) under the Digital Operational Resilience Act (DORA).

This designation represents a major milestone in the enforcement of the regulation. It signals a fundamental shift from supervising financial institutions alone to extending direct EU-level oversight to the external technology and infrastructure providers that underpin the financial sector’s operational resilience.

The Designated Providers The critical ICT third-party service providers designated at the Union level are:

  • Accenture plc
  • Amazon Web Services EMEA Sarl
  • Bloomberg L.P.
  • Capgemini SE
  • Colt Technology Services
  • Deutsche Telekom AG
  • Equinix (EMEA) B.V.
  • Fidelity National Information Services, Inc. (FIS)
  • Google Cloud EMEA Limited
  • IBM Corporation
  • InterXion HeadQuarters B.V.
  • Kyndryl Inc.
  • LSEG Data and Risk Limited
  • Microsoft Ireland Operations Limited
  • NTT DATA Inc.
  • Oracle Nederland B.V.
  • Orange SA
  • SAP SE
  • Tata Consultancy Services Limited

Understanding the Scope Reflecting the diversity of services essential to financial stability, the list covers a broad spectrum of the ICT ecosystem. While specific contractual arrangements remain confidential, the designated providers operate across four key domains:

  • Hyperscalers & Cloud Infrastructure: Providers of regulated cloud hosting, AI/ML services, and data platforms supporting core financial workloads.
  • Data, Trading & Core Platforms: Entities supplying critical real-time market data, pricing analytics, and core banking or trading technologies.
  • Consulting & Managed Services: Firms driving digital transformation, application maintenance, and managed cybersecurity services.
  • Connectivity & Data Centers: Providers responsible for low-latency trading links, colocation, and physical infrastructure.

Implications for Luxembourg For the Luxembourg financial center, this announcement raises specific practical considerations. Several of the designated international groups operate local entities authorized as Support PSFs.

As the DORA oversight model matures, key questions regarding regulatory coordination are emerging:

  1. Local vs. EU Scope: To what extent will the direct supervision of a CTPP by the Joint Oversight Network (JON) extend to its Luxembourg-authorized entities?
  2. Supervisory Coordination: How will the JON coordinate its activities with the CSSF to ensure efficient oversight without duplication?

Looking Ahead: Registers of Information For financial entities, this list offers immediate practical value. While the first DORA Registers of Information (ROIs) submitted earlier this year were often a “best-effort” baseline, the official CTPP list provides a clearer signal of the scope and granularity required for future reporting cycles.

Learn More You can view the full press release from the European Banking Authority here Opens in a new tab .