DORA: EU Regulators Announce List of Critical ICT Third-Party Providers

Summary

The European Supervisory Authorities (ESAs) have published a list of 19 critical information and communications technology (ICT) third‑party providers (CTPP) that will be subject to direct oversight when the EU Digital Operational Resilience Act (DORA) takes effect. The list, released on November 18, 2025, includes hyperscale cloud providers, data‑center operators, infrastructure and network service firms, and providers of financial‑services‑specific technology. By designating these providers as critical, regulators aim to reduce systemic risk and enhance the overall digital resilience of the EU’s financial sector. The oversight will require the listed firms to comply with stricter operational resilience standards and ongoing supervisory monitoring. This regulatory step is a cornerstone of DORA’s broader effort to ensure that key technology services supporting Europe’s financial markets can withstand and quickly recover from disruptions.

Why It Matters

Reduces systemic risk in the EU financial sector
Establishes direct regulatory oversight over critical ICT providers

Key Points

• 19 critical ICT third‑party providers identified
• Covers hyperscale cloud, data‑center, infrastructure and network services
• Includes providers of financial‑services‑specific technology
• Providers will be subject to direct oversight under DORA
• Oversight aims to improve digital operational resilience
• List published by ESAs on November 18, 2025

Source: www.morganlewis.com

Original Publish Date: 18/11/2025

Entities: European Supervisory Authorities, ESAs, Digital Operational Resilience Act, DORA, EU