Whitepaper Contents
office-scene-stock-image (1)

DORA Critical ICT Third-Party Providers Guide

  • DORA
  • Gabriel Few-Wiegratz
  • Published: 20th May 2026

Share this

Whitepaper Contents
Highlights
  • DORA Article 31 empowers the ESAs to designate ICT third-party providers as critical. In November 2025, the ESAs published the first official list of 19 designated CTPPs, covering major cloud providers, core banking platforms, and specialist financial technology firms.
  • Designation triggers direct ESA oversight of the provider, conducted by a lead overseer (EBA, EIOPA, or ESMA) with rights to request information, conduct investigations, and carry out on-site inspections under Article 35.
  • For financial entities, the Article 30 contractual obligations apply across all material ICT third-party relationships regardless of designation status. Designation heightens supervisory scrutiny of whether those obligations are genuinely enforceable.
  • Financial entities must maintain a register of information covering all ICT third-party contractual arrangements under Article 28(3), and must have documented, tested exit strategies for critical ICT dependencies under Article 28.
  • Concentration risk demands a governance response: where no credible near-term alternative exists for a designated CTPP, financial entities must demonstrate active risk management of the dependency to their competent authority.
Expert View

Matt Davies

Chief Product Officer, SureCloud

LinkedIn

What our experts say about critical ICT third-party governance

"Most firms I talk to have Article 30 contracts in place. The problem shows up when a provider gets designated critical. The question shifts from having the right provisions to being able to exercise them. I've seen organisations with full audit rights in the contract and no actual process for requesting one, or exit strategies written in 2024 that have never been tested against a realistic migration scenario. When a lead overseer comes looking, they want to see governance that's operational. The shortfall is almost always between what the contract says and what the firm has built to run it."

 

KEY FACTS

  1. Article 31 DORA: The ESAs assess ICT third-party providers against four designation criteria: systemic impact of a failure, the systemic importance of dependent financial entities, reliance on the provider for critical or important functions, and degree of substitutability.
  2. November 2025: The ESAs published the first official list of 19 designated critical ICT TPPs under DORA, including major cloud infrastructure and core banking platform providers. The list is updated annually.
  3. Article 35 DORA: The lead overseer has the right to request information, conduct general investigations (including personnel interviews), and carry out on-site inspections at the designated CTPP's premises and at material subcontractors.
  4. Article 28(3) DORA: Financial entities were required to maintain a complete Register of Information of all ICT third-party contractual arrangements. The first submission cycle required NCAs to report their collected registers to the ESAs by 30 April 2025, with individual NCA submission deadlines for financial entities falling earlier (timelines varied by jurisdiction). The Register of Information is an annual obligation and ongoing maintenance for supervisory inspection remains a live requirement.
  5. Article 28 DORA: Exit strategies for critical ICT dependencies must be documented, comprehensive, and tested. Where substitution is not immediately practicable, the strategy must address the constraint honestly and set out controls that apply during the dependency period.
Why Critical ICT Third-Party Oversight Matters

DORA became applicable on 17 January 2025, applying across EU financial services: credit institutions, investment firms, insurance undertakings, payment institutions, and others listed in Article 2. Its third-party chapter reflects a regulatory judgement that concentration risk in a small number of dominant ICT providers, particularly hyperscale cloud platforms, poses a systemic threat that firm-level due diligence alone cannot address.

The critical CTPP designation mechanism is the legislative response to that concentration risk. Rather than relying solely on financial entities to oversee their own suppliers, DORA empowers the ESAs to supervise designated providers directly. This creates obligations that run in two directions: designated providers are accountable to ESA lead overseers, and financial entities using those providers must structure their relationships in ways that make ESA oversight practicable.

In November 2025, the ESAs published the first official list of 19 designated critical ICT TPPs, covering major cloud infrastructure providers, core banking platforms, and specialist financial technology firms. For financial entities relying on designated providers, the practical question is whether existing contracts and governance structures meet the heightened scrutiny that designation brings.

How the ESA Designation Process Works Under Article 31

Article 31 of DORA sets out the framework for designating ICT third-party providers as critical. The designation is the product of a structured assessment process coordinated by the Joint Oversight Network (JON) and the Oversight Forum, the bodies established under Article 32 to coordinate ESA oversight activities across EBA, EIOPA, and ESMA.

The Designation Criteria

The ESAs assess potential critical ICT TPPs against criteria set out in Article 31(2). Assessment covers the systemic impact that a failure or operational disruption of the ICT TPP would have on the financial entities it serves, the systemic character or importance of those financial entities, the degree to which they rely on the provider for critical or important functions, and the degree of substitutability.

Substitutability is the criterion with the most practical weight. A provider serving a large proportion of systemically important institutions with few credible alternatives represents the clearest case for designation. Hyperscale cloud providers, major core banking platforms, and dominant data analytics providers have been widely discussed as likely candidates in ESA consultations, and the November 2025 designation list confirmed several of these.

How Designation Is Triggered

One ESA acts as lead overseer for each designated critical ICT TPP, assigned based on the financial sector where the provider has its predominant use. Once the assessment is complete and designation confirmed, the relevant ESA formally notifies the ICT TPP. From that point, the provider is subject to the oversight framework set out in Articles 33 to 35, which includes the right to request information, conduct general investigations, and carry out on-site inspections. Financial entities should monitor ESA oversight publications for updates to the designated CTPP list, which is published and updated annually.

What Designated Critical ICT TPPs Face

Designation leaves the services a critical ICT TPP provides unchanged. It imposes significant oversight obligations and rights of access that have direct implications for how financial entities structure their contracts with those providers.

ESA Audit and Information Rights

Under Article 35, the lead overseer has the right to request all information and documentation relevant to the services the critical ICT TPP provides to financial entities, conduct general investigations including interviews with personnel, and carry out on-site inspections at the premises of the critical ICT TPP with reasonable notice. These rights extend to material subcontractors that the critical ICT TPP itself relies on for services delivered to financial entities. For financial entities, this means their contractual arrangements with critical ICT TPPs must include provisions that do not obstruct these rights of access.

Oversight Recommendations and Compliance Consequences

The lead overseer can issue recommendations to critical ICT TPPs under Article 35(1)(d). Where a critical ICT TPP fails to comply with information requests, investigations, or required remediation actions under Article 35(1)(a)-(c), the Lead Overseer may impose periodic penalty payments of up to 1% of the critical ICT TPP's average daily worldwide turnover, applied daily for up to six months under Article 35(6)-(8). Recommendations issued under Article 35(1)(d) carry significant commercial and reputational weight; non-compliance with the information and remediation obligations that flow from oversight activities triggers the financial penalty regime.

Under Article 42, where a financial entity fails to adequately address risks identified in lead overseer recommendations, competent authorities can require the financial entity to temporarily or permanently suspend use of the critical ICT TPP's services, or to terminate the contractual arrangement entirely, as a measure of last resort. This is a significant operational risk for any firm heavily dependent on a designated CTPP without a tested exit plan.

What Financial Entities Must Do: Managing Critical ICT TPP Relationships

For enterprises using critical ICT TPPs, DORA creates obligations that sit alongside and reinforce the general third-party risk management framework. Three governance areas demand particular attention.

Contractual Obligations Under Article 30

Article 30 sets out the mandatory minimum content for contracts between financial entities and ICT third-party providers. These requirements apply to all material ICT service agreements, and they take on heightened compliance significance when the provider is subject to ESA oversight. The contract must be the mechanism through which the financial entity can demonstrate its governance obligations are enforceable. The mandatory provisions are set out in the Article 30 checklist below.

Ongoing Monitoring and Internal Escalation

Financial entities must maintain continuous monitoring of critical ICT TPP performance against contractual service levels and ICT risk indicators. Article 28 requires that the monitoring framework is integrated into the entity's broader Third-Party risk management function, with clear escalation paths to the management body when material risks are identified.

For multi-entity groups or financial entities operating across multiple jurisdictions, the monitoring architecture must account for the fact that a single critical ICT TPP relationship may serve multiple legal entities simultaneously, each with their own regulatory obligations and competent authority. Central governance functions should maintain a consolidated view of critical ICT TPP exposure across the group.

Register of Information and Exit Planning

Under Article 28(3), financial entities are required to maintain a register of information covering all contractual arrangements with ICT third-party providers. For critical ICT TPPs, this register must be granular enough to support supervisory review. Significant institutions feed the register into supervisory reporting, and competent authorities can request it at any point.

Exit planning is a specific obligation under Article 28. Financial entities must develop and maintain documented exit strategies for critical ICT dependencies, including the capacity to migrate to alternative providers without unacceptable operational disruption. Where a designated critical ICT TPP has no near-term substitute, exit strategy documentation must address that constraint honestly and set out the risk management controls in place during the dependency period. Exit strategies must be tested as a genuine operational process, in addition to being formally documented.

Article 30 Contract Provisions: Required Checklist for Critical ICT TPP Agreements

DORA Article 30 has a two-tier structure. Article 30(2) sets out nine provisions that apply to all ICT third-party contractual arrangements. Article 30(3) sets out six additional provisions that apply specifically to contracts supporting critical or important functions. Legal and procurement teams should review both tiers against any material ICT third-party contract, and apply the full Article 30(3) requirements to any contract supporting a critical or important function.

Article 30(2): Provisions Applicable to All ICT Third-Party Contracts

 

 

Required Contract Provision

DORA Reference

Full description of all ICT services and functions to be provided, including the conditions applicable to subcontracting

Article 30(2)(a)

Locations where services are provided and data processed, including notification obligations for intended changes to those locations

Article 30(2)(b)

Provisions on availability, authenticity, integrity and confidentiality of data, including personal data

Article 30(2)(c)

Access, recovery and return of data in the event of insolvency, resolution or contract termination

Article 30(2)(d)

Service level descriptions, including updates and revisions

Article 30(2)(e)

Obligation to provide assistance at no additional cost (or at a cost determined ex ante) during an ICT incident attributable to the ICT TPP

Article 30(2)(f)

Obligation to cooperate with the competent authorities and resolution authorities of the financial entity

Article 30(2)(g)

Termination rights and minimum notice periods

Article 30(2)(h)

Conditions for ICT TPP participation in ICT security awareness programmes and digital operational resilience training per Article 13(6)

Article 30(2)(i)

 

Article 30(3): Additional Provisions for Contracts Supporting Critical or Important Functions

Article 30(3) provisions apply to all contracts between financial entities and ICT third-party providers that support critical or important functions, regardless of whether the provider is formally designated as a critical ICT TPP under Article 31. For designated critical ICT TPPs, both tiers apply in full.

 

 

Required Contract Provision

DORA Reference

Full service level descriptions with precise quantitative and qualitative performance targets, and reporting obligations on service level performance

Article 30(3)(a)

Notice periods and reporting obligations of the ICT TPP, including notification of developments that may have a material impact on the ICT TPP's ability to provide services

Article 30(3)(b)

Obligation to implement and test business continuity plans and ICT security measures meeting applicable standards

Article 30(3)(c)

Obligation to participate in threat-led penetration testing (TLPT) per Articles 26 and 27

Article 30(3)(d)

Right to monitor ICT TPP performance on an ongoing basis, including unrestricted rights of access, inspection and audit; right of competent authorities to inspect and audit the ICT TPP; cooperation with Lead Overseer for designated critical ICT TPPs

Article 30(3)(e)

Exit strategy provisions, including mandatory transition periods and cooperation requirements to support migration to an alternative provider

Article 30(3)(f)

 

For designated critical ICT TPPs, contracts must additionally include explicit provisions enabling ESA Lead Overseer access, documentation requests, and cooperation with oversight activities. This obligation derives from Article 35 and applies only where the provider has been formally designated as a critical ICT TPP by the ESAs.

Concentration Risk and the Governance Implications

The DORA oversight framework acknowledges a practical limitation: a financial entity cannot exit a critical ICT dependency simply because the provider has been designated. The regulatory response is governance: demonstrable oversight in the absence of a viable near-term exit. Enterprises must be able to demonstrate that critical ICT TPP dependencies are visible to the management body, that contractual protections are current against the Article 30 checklist, that ongoing monitoring generates substantive risk intelligence beyond SLA dashboards, and that exit strategy documentation is genuine and tested.

The ESA oversight framework operates in parallel with financial entity obligations, alongside them rather than as a substitute. Designation of a provider as critical does not discharge the financial entity's duty to govern that relationship. It intensifies supervisory scrutiny of whether that governance is adequate. Supervisory scrutiny of Register of Information quality and third-party governance is expected to intensify through the 2026 supervisory cycle, as competent authorities move from implementation assessment to active compliance examination.

Strengthen Governance Over Critical ICT Providers

See how SureCloud helps financial entities manage DORA Article 30 contracts, maintain Register of Information records, monitor critical ICT third-party providers continuously, and operationalise tested exit strategies across the supplier lifecycle. Book a demo to see DORA third-party governance in practice.
Book your Demo TODAY!
Recommended Resources
  • DORA
  • Compliance

The Complete DORA Self-Assessment

  • DORA
  • Compliance

Complete Guide to DORA Compliance in 2025

  • Compliance
  • DORA

The 5 Pillars of DORA Explained – Building Digital Resilience in Financial Services

FAQ’s

What makes an ICT third-party provider critical under DORA?

Under Article 31(2), criticality is determined by the ESAs based on four criteria: the systemic impact of the provider's potential failure, the systemic importance of dependent financial entities, the extent of reliance on the provider for critical or important functions, and the degree of substitutability. A provider serving a high proportion of significant institutions with no viable near-term alternative is the core case for designation. The Joint Oversight Network (JON) and Oversight Forum coordinate the formal assessment.

Do Article 30 contract obligations apply only to designated critical ICT TPPs?

Article 30's mandatory contract provisions apply to all contractual arrangements with ICT third-party providers supporting critical or important functions, regardless of whether those providers are formally designated as critical under Article 31. Designation heightens the importance of Article 30 compliance and triggers additional ESA oversight, but the contractual baseline applies across all material ICT relationships.

Can a financial entity be held accountable if its critical ICT TPP fails to cooperate with ESA oversight?

Article 42 sets out a graduated competent authority response. Where a financial entity fails to adequately address risks identified in lead overseer recommendations, the competent authority must first notify the firm and give it 60 calendar days to respond. As a measure of last resort under Article 42(6), competent authorities can require the financial entity to temporarily or permanently suspend use of the critical ICT TPP's services, or to terminate the contractual arrangement entirely. This makes maintaining enforceable Article 30 contracts and tested exit strategies a direct risk management priority.

What does an exit strategy for a critical ICT TPP need to include?

Under Article 28, exit strategies must address the steps the financial entity would take to migrate away from the critical ICT dependency without unacceptable disruption to critical or important functions. For designated critical ICT TPPs where substitution is not immediately practicable, the strategy should document the constraints, set out the risk controls that apply during the dependency period, and identify the conditions under which the exit would be triggered. Exit strategies must be tested as a genuine operational process, in addition to being formally documented.

What is the Joint Oversight Network and what role does it play?

The Joint Oversight Network (JON) and the Oversight Forum, established under Article 32, are the coordination mechanisms between EBA, EIOPA, and ESMA for supervising critical ICT TPPs. The JON coordinates between lead overseers on a day-to-day basis, while the Oversight Forum brings together senior representatives from European and national supervisory authorities to harmonise supervisory practice. Financial entities should monitor ESA DORA oversight publications for updates on the critical ICT TPP list and oversight expectations.

Which providers were designated as critical ICT TPPs in November 2025?

The ESAs published the first official list of 19 designated critical ICT TPPs on 19 November 2025. The list covers major cloud infrastructure providers, core banking platforms, and specialist financial technology firms, including AWS, Google Cloud, Microsoft, Oracle, SAP, IBM, and Deutsche Telekom, among others; it is updated and published annually. Financial entities should review the full designated CTPP list and assess their exposure to each designated provider.