ESAs Publish List of Critical ICT Third Party Service Providers under EU DORA

On 18 November 2025, the European Supervisory Authorities (ESAs) published the first list of designated critical information and communication technology (ICT) third party service providers (CTPPs) under the EU Digital Operational Resilience Act (DORA). The designations mark a major step in operationalising DORA’s third party risk regime, bringing key ICT service providers within a new, EU‑level system of direct oversight.

In the ESAs’ accompanying press release, the ESAs explain that the designated CTPPs deliver a range of ICT services (e.g., from core infrastructure to business and data services) to financial entities of all types and sizes across the EU. 

The ESAs have followed DORA’s mandated methodology to reach these designation decisions. Firstly, the ESAs collected data from the registers of information that financial entities must maintain on their contractual arrangements for ICT services. The ESAs then conducted a detailed, cross‑sector criticality assessment in cooperation with competent authorities. This assessment was carried out in line with the multifaceted criteria set out in DORA, requiring the evaluation of a service provider’s systemic importance, its role in supporting critical or important functions for financial entities, and the substitutability of its services. ICT third party providers assessed as critical have been formally notified.

CTPP designation brings service providers within the ESAs’ direct oversight. The ESAs will assess whether CTPPs have appropriate risk management and governance frameworks in place to ensure the resilience of the ICT services they deliver to financial entities. This aims to mitigate risks that could impact the operational resilience of the EU financial sector. 

This follows the ESAs setting out their supervisory approach in their July 2025 guide on the oversight of CTPPs.

The CTPP list, the press release and the guide are available here, here and here, respectively.