DORA ESA Oversight Framework: Critical TPP Guide

1. Governing articles: DORA Article 31 (designation); Articles 32-40 (oversight framework and powers).
2. Lead Overseers: EBA (banking), EIOPA (insurance and pensions), ESMA (investment firms and capital markets).
3. Oversight powers: Information requests (Article 37); general investigations (Article 38); on-site inspections (Article 39); recommendations (Article 35(1)(d)); periodic penalty payments (Article 35(6)).
4. Penalty maximum: 1% of average daily worldwide turnover, applied daily for up to six months.
5. Jurisdictional reach: Applies to ICT providers regardless of where they are headquartered, provided they serve EU financial entities.
6. EU subsidiary requirement: Non-EU providers designated as critical must establish an EU subsidiary within 12 months (Article 31(12)).
7. First CTPP list: 19 designated providers, published 18 November 2025.

Before DORA, EU supervisory authorities had limited direct reach over the technology providers that financial institutions depend on. Banks, insurers, and investment firms were regulated; the cloud providers, data centre operators, and software vendors underpinning them were not, at least not within a financial services supervisory framework.

DORA's recitals identify ICT concentration as a structural stability concern. A small number of hyperscale cloud providers supply critical function infrastructure across multiple EU financial sectors, and that dependency creates systemic exposure that can't be addressed through entity-level supervision alone.

DORA Article 31 addresses this directly, establishing a mechanism by which the ESAs can bring the most systemically significant ICT providers within a binding supervisory framework, regardless of where those providers are headquartered. For financial entities, that creates a new layer of governance obligations covering concentration risk assessment, contract compliance, and contingency planning.

SureCloud's guide to CTPP governance under DORA covers how to structure these obligations in practice.

Who Can Be Designated

DORA Article 31(2) sets out four criteria the ESAs apply when assessing whether to designate an ICT provider as critical. A provider must satisfy all four: the systemic impact of a large-scale operational failure on EU financial services; the systemic character of the financial entities relying on it; the reliance of those entities on the provider for critical or important functions; and the degree of substitutability, specifically how difficult it would be to switch to an alternative provider within a reasonable timeframe.

These criteria mean the largest cloud hyperscalers, major core banking platform vendors, and critical financial market infrastructure technology providers are the most likely candidates for designation. A provider with high concentration across a specific sector or product line may be designated even if it is not widely known outside the industry.

The Designation Procedure

The Oversight Forum, established under Article 32 and comprising representatives of EBA, EIOPA, and ESMA, coordinates the CTPP designation process. The Oversight Forum issues a recommendation on whether a given ICT provider should be designated, which is then followed by formal designation decisions issued through the Joint Committee of the ESAs.

Under Article 31(5), the Lead Overseer notifies the ICT provider of the assessment outcome and gives it six weeks to submit a reasoned statement with any relevant information. After formal designation, the provider is notified of the starting date for oversight activities, which begins no later than one month after notification. The CTPP must then notify all financial entity clients of its designated status.

Designation is reviewed periodically and can be reversed if the conditions that led to it no longer apply. The first official list of 19 designated CTPPs was published by the ESAs on 18 November 2025 and includes major cloud infrastructure providers, platform vendors, and data centre operators active across EU financial services. The list is updated annually under Article 31(9).

Each designated CTPP is assigned a Lead Overseer from one of EBA, EIOPA, or ESMA, based on the predominant type of financial entities using the provider's services. Where a CTPP primarily serves banking institutions, EBA is the Lead Overseer. Where it primarily serves insurance firms, EIOPA leads. Where it primarily serves investment firms and capital markets participants, ESMA leads.

The Lead Overseer model provides a single point of regulatory contact for each CTPP, avoiding duplicative oversight from multiple authorities. The Lead Overseer coordinates with the other ESAs through the JON (Joint Oversight Network) and with national competent authorities. A CTPP designated with EBA as Lead Overseer remains subject to the concerns and information requests of EIOPA and ESMA where their sectors are affected.

DORA Article 33 sets out the oversight tasks the Lead Overseer performs, including conducting oversight assessments based on comprehensive oversight plans, issuing recommendations on ICT risk mitigation, and escalating to the more coercive oversight powers in Articles 35 through 39 where necessary. Oversight activities are carried out with the assistance of Joint Examination Teams drawn from staff across the ESAs and relevant national competent authorities.

The oversight powers available to Lead Overseers are graduated: they start with information gathering and assessment, and escalate through investigations and on-site inspections to financial penalties for non-compliance.

Information Requests and Document Access (Article 37)

Under Article 37, the Lead Overseer may require designated CTPPs to provide any information and documentation necessary to carry out its oversight functions, including access to contracts, risk management documentation, incident records, audit reports, and technical documentation. The CTPP must respond within defined timelines and can't invoke confidentiality obligations to commercial clients as grounds for refusing to provide regulatory information.

General Investigations (Article 38)

A general investigation goes further than a document request. Under Article 38, the Lead Overseer can interview CTPP staff directly, request formal written statements from management, and examine records at depth. The Lead Overseer must notify the competent authorities of financial entities using the CTPP's services before the investigation begins. Non-cooperation is a ground for periodic penalty payments under Article 35(6).

On-Site Inspections (Article 39)

On-site inspections are the most operationally intrusive power in the oversight framework. Article 39 grants the Lead Overseer the right to enter any premises the CTPP uses to provide services to EU financial entities, with or without advance notice in exceptional circumstances. Inspectors can access all systems, facilities, and documentation relevant to the services under inspection. For a large cloud provider, that could mean access to operational infrastructure in multiple EU-relevant locations.

Recommendations and Remediation Requirements (Article 35)

Following oversight assessments, the Lead Overseer issues recommendations under Article 35(1)(d) identifying ICT risk concerns and requiring remediation within defined timelines. The CTPP must respond formally, explaining either how it has addressed the recommendations or why it disagrees. Sustained non-compliance with recommendations escalates the oversight response toward the penalty framework in Article 35(6).

Financial Penalties (Article 35(6))

Designated CTPPs that fail to comply with oversight measures face periodic penalty payments under Article 35(6). Penalties are imposed on a daily basis once a 30-day remediation period has expired, and can run for up to six months. The penalty rate is up to 1% of the CTPP's average daily worldwide turnover in the preceding business year. The Lead Overseer determines the amount based on the gravity and duration of non-compliance, whether it was intentional or negligent, and the level of cooperation shown.

The penalty framework applies regardless of where a CTPP is headquartered. For the largest cloud providers, 1% of average daily worldwide turnover running daily for six months is not a compliance cost. It requires board-level risk assessment and places Lead Overseer cooperation firmly within the scope of enterprise risk management.

Understand Your Concentration Exposure

DORA Article 29 requires financial entities to assess and manage ICT concentration risk: the risk arising from excessive reliance on a single ICT provider or a small number of providers for critical or important functions. This assessment must inform the ICT risk management framework and be visible in board-level ICT risk reporting.

For entities using providers that have been designated or are likely to be designated as CTPPs, the concentration risk assessment should explicitly address what proportion of critical function capability is provided by the CTPP, what a realistic exit timeframe would be if the CTPP faced regulatory sanctions, and whether contractual exit rights and data portability provisions are adequate.

A TPRM platform with Gracie AI Agents with Personas and Skills running continuous third-party risk monitoring supports this assessment and keeps it current as the designation register is updated.

Review and Update Third-Party Contracts

DORA Article 30 sets out mandatory contractual provisions for ICT third-party agreements. For contracts with designated or likely-to-be-designated CTPPs, three areas require specific attention.

1. Audit and inspection rights: Does the contract give the financial entity and, where required, the Lead Overseer access rights consistent with DORA's oversight framework?
2. Exit planning provisions: Does the contract address data portability, transition assistance, and minimum notice periods in terms that would allow an orderly exit within a timeframe that is operationally realistic?
3. Regulatory cooperation: Does the contract require the CTPP to cooperate with Lead Overseer information requests and inspections without prejudicing the financial entity's own regulatory compliance?

Prepare Contingency Plans for CTPP Disruption

DORA Article 11 requires financial entities to maintain ICT Business Continuity Plans for critical or important functions. Where those functions rely on a designated CTPP, the Business Continuity Plan should address CTPP regulatory disruption scenarios, not only technical failure scenarios.

1. Operational restriction scenarios: Scenarios in which the CTPP is subject to operational restrictions imposed by the Lead Overseer, for example restrictions on taking on new EU financial entity clients or providing specific services.
2. Escalated sanctions scenarios: Scenarios in which the CTPP fails to remediate Lead Overseer findings within required timelines, leading to escalated penalty payments.
3. Transition planning: The practical steps the financial entity would take to maintain critical functions during a transition period, and the realistic timeline for executing them.

Engage With the CTPP on Its Oversight Status

Financial entities that are material clients of a designated CTPP have a legitimate interest in understanding the CTPP's oversight status and its response to Lead Overseer recommendations. CTPPs aren't required to disclose confidential regulatory correspondence to clients, but significant clients should establish a communication channel with their account management structure to receive timely notification of material oversight developments.

Article 30 contractual provisions should include a notification obligation requiring the CTPP to inform the financial entity of material regulatory actions that may affect service continuity. Where this obligation is absent from legacy contracts, it should be added during the next contract review cycle.

For ICT providers operating at a scale that makes designation possible, the DORA oversight framework represents a significant expansion of regulatory obligations. Four areas require attention before designation takes effect.

1. Engage with the Oversight Forum process proactively: Article 31(5) provides ICT providers with the right to submit a reasoned statement within six weeks of receiving notice of a proposed designation. This is a material opportunity to present information relevant to the designation criteria, and should be treated as a regulatory engagement, not a formality.
2. Prepare for Lead Overseer information requests before they arrive: Well-organised, accessible records of risk management processes, incident history, contractual arrangements with EU financial entities, and compliance documentation will significantly reduce the operational burden when oversight activity begins.
3. Review existing client contracts for DORA compliance: The contractual provisions Article 30 requires financial entities to obtain from ICT providers may not exist in legacy contracts. Large-scale contract remediation programmes require significant lead time and should begin ahead of designation.
4. Allocate internal resources for oversight engagement: A Lead Overseer general investigation or on-site inspection requires sustained management attention and access to senior technical and compliance staff. It can't be delegated to a junior compliance team working in isolation.