The 19 Critical Third-Party Providers: What ESA Designation Means for Your Cloud Strategy
The List That Changed Cloud Strategy
On November 18, 2025, the European Supervisory Authorities — the EBA, EIOPA, and ESMA — published the first-ever list of designated Critical Third-Party Providers (CTPPs) under DORA Article 31. After months of assessment against the criteria specified in Art. 31(2) and the Delegated Regulation (EU) 2024/1502, 19 ICT service providers were designated as critical to the operational resilience of the European financial sector.
This designation transforms the regulatory landscape for these providers and, critically, for every financial institution that depends on them. For the first time in EU regulatory history, technology companies are subject to direct supervisory oversight by financial regulators — not as financial entities themselves, but as systemically important infrastructure supporting the financial system.
The designation is not honorary. CTPPs are now subject to annual risk analyses, on-site inspections, and enforcement powers including a last-resort daily penalty of up to 1% of average daily worldwide turnover (Art. 35(8)). For a provider like Microsoft with annual revenues exceeding $200 billion, that translates to a theoretical daily penalty ceiling of approximately $5.5 million.
The 19 Designated CTPPs
The initial designation list spans cloud infrastructure, enterprise software, financial data services, and telecommunications:
| Provider | Category | Primary financial sector services | Lead Overseer |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure | IaaS, PaaS, managed databases, AI/ML | EBA |
| Microsoft (Azure + M365) | Cloud infrastructure + enterprise software | IaaS, PaaS, productivity, identity services | EBA |
| Google Cloud Platform | Cloud infrastructure | IaaS, PaaS, data analytics, AI/ML | EBA |
| Oracle | Cloud infrastructure + enterprise software | Database, cloud infrastructure, financial apps | EBA |
| SAP | Enterprise software | ERP, financial management, analytics | EBA |
| Bloomberg | Financial data services | Market data, trading systems, analytics | ESMA |
| FIS (Fidelity National) | Financial technology | Core banking, payments, capital markets | EBA |
| Deutsche Telekom | Telecommunications | Network services, managed connectivity | EBA |
| Equinix | Data center services | Colocation, interconnection | EBA |
| InterXion (Digital Realty) | Data center services | Colocation, managed hosting | EBA |
| IBM | Enterprise technology | Mainframe, cloud, managed services | EBA |
| Broadridge Financial | Financial technology | Post-trade processing, investor communications | ESMA |
| SWIFT | Financial messaging | Interbank messaging, payment infrastructure | EBA |
| Refinitiv (LSEG) | Financial data services | Market data, trading platforms | ESMA |
| Finastra | Financial technology | Core banking, lending, treasury | EBA |
| Temenos | Financial technology | Core banking, digital banking | EBA |
| Worldline | Payment technology | Payment processing, acquiring | EBA |
| ServiceNow | Enterprise software | IT service management, workflow automation | EBA |
| Salesforce | Enterprise software | CRM, customer engagement, cloud platform | EBA |
The concentration of Lead Overseer responsibilities at the EBA reflects the banking sector's dominant role in ICT third-party dependency. ESMA oversees the financial data and securities infrastructure providers (Bloomberg, Broadridge, Refinitiv), while EIOPA's oversight role is exercised through the Joint Committee structure for providers serving the insurance sector.
What Designation Means: The Oversight Framework
Figure 1: The CTPP oversight structure. The EBA serves as Lead Overseer for 15 of the 19 designated providers, with enforcement powers escalating from information requests to daily penalties of up to 1% of worldwide turnover.
Art. 33: The Lead Overseer's Powers
Each designated CTPP is assigned a Lead Overseer — one of the three ESAs — which exercises the following powers:
Information requests (Art. 33(2)(a)). The Lead Overseer can require CTPPs to provide any information necessary for the oversight exercise, including: system documentation, security policies, incident response plans, business continuity arrangements, audit reports, and data on financial entity dependencies.
General investigations (Art. 33(2)(b)). The Lead Overseer can conduct investigations of CTPPs, including interviews with staff, inspection of records, and analysis of ICT systems and processes.
On-site inspections (Art. 33(2)(c)). The Lead Overseer can conduct on-site inspections of CTPPs' premises and ICT infrastructure. For cloud providers with globally distributed infrastructure, this includes the right to inspect data centers, operational facilities, and crisis management centers.
Recommendations (Art. 35). Based on oversight activities, the Lead Overseer issues recommendations to CTPPs addressing identified deficiencies. CTPPs must respond with a plan to address the recommendations. Financial entities using the CTPP are informed of relevant findings.
Enforcement (Art. 35(8)). If a CTPP fails to comply with a recommendation, the Lead Overseer can impose a daily periodic penalty payment of up to 1% of the CTPP's average daily worldwide turnover in the preceding business year. This is the enforcement mechanism of last resort, but its existence concentrates minds.
Joint Examination Teams (Delegated Regulation (EU) 2025/420)
The JET Delegated Regulation, published in early 2025, establishes the operational framework for how Lead Overseers conduct CTPP oversight. Joint Examination Teams include staff from the Lead Overseer ESA, relevant NCAs from member states where the CTPP's financial entity clients are supervised, and technical experts.
This structure ensures that oversight incorporates both EU-level systemic perspective and national-level understanding of how specific financial entities depend on the CTPP.
The EU Subsidiary Requirement
Art. 31(12) addresses the most geopolitically significant aspect of CTPP designation: non-EU providers designated as critical must establish a subsidiary in the European Union within 12 months of designation.
For the hyperscalers (AWS, Google Cloud, Microsoft), Oracle, and other non-EU-headquartered providers on the list, this means:
| Requirement | Deadline | Implication |
|---|---|---|
| EU subsidiary establishment | November 2026 | Legal entity, not just a regional office |
| EU-based management and oversight | November 2026 | Decision-making authority for EU operations |
| On-site inspection readiness | Ongoing | EU facilities accessible to Lead Overseer |
| Data and information access | Ongoing | CTPP data relevant to EU operations accessible from EU |
The subsidiary requirement is not merely administrative. It creates a legal entity within EU jurisdiction that the Lead Overseer can direct, inspect, and if necessary sanction. Without a subsidiary, the Lead Overseer's powers would depend on international cooperation arrangements and cross-border enforcement — mechanisms that are slow, uncertain, and politically complex.
AWS, Microsoft, and Google already maintain significant EU operations, but the legal structure of those operations may need to be adapted to satisfy the subsidiary requirement — specifically, the subsidiary must have sufficient autonomy and authority to respond to Lead Overseer directions without requiring headquarters approval for every decision.
What This Means for Financial Entities
CTPP designation changes the risk calculus for financial entities in several ways:
Enhanced Due Diligence Obligations
Art. 28(1)(a) already requires financial entities to assess risks from third-party ICT arrangements. When a provider is designated as a CTPP, the financial entity's risk assessment must account for the designation itself — including:
- The Lead Overseer's published findings and recommendations for the CTPP
- Any periodic penalties imposed on the CTPP
- The CTPP's compliance trajectory (is it addressing recommendations promptly?)
- The CTPP's EU subsidiary structure and governance
Concentration Risk Reassessment
The CTPP list is, in effect, a regulatory map of where the European financial sector's ICT concentration sits. For financial entities conducting Art. 29 concentration risk assessments, the CTPP list provides:
Confirmation of systemic dependencies. If your critical ICT provider is on the CTPP list, the ESAs have confirmed that multiple financial entities depend on it — validating the concentration risk that Art. 29(2)(c) requires you to assess.
Substitutability signal. A provider is designated as critical partly because it is not easily substitutable (Art. 31(2) criteria). This has direct implications for exit strategy credibility under Art. 28(8) — if the regulators have determined that a provider is difficult to substitute at a systemic level, your entity's individual exit strategy must demonstrate how it would manage this non-substitutability.
Oversight as partial mitigation. The Lead Overseer regime provides a supervisory backstop that reduces (but does not eliminate) the risk of CTPP-related failures. Financial entities can factor the existence of regulatory oversight into their risk assessment — but cannot rely on it as a substitute for their own due diligence and contractual protections.
Contractual Implications
Financial entities must ensure that their contracts with CTPPs are compatible with the oversight regime:
- Contracts must not restrict the CTPP's ability to comply with Lead Overseer directions (Art. 30(3))
- Contracts must include audit rights that can be exercised in coordination with the Lead Overseer (Art. 30(2)(e))
- Contracts must address the CTPP's obligation to participate in Joint Examination Team activities
- Exit strategies must account for the possibility that the CTPP's operational posture changes as a result of Lead Overseer recommendations
Strategic Framework for Financial Entities
Figure 2: Three-tier strategic response framework for financial entities. Immediate actions focus on mapping exposure; medium-term on risk management; strategic on architecture and governance.
The CTPP designation creates both obligations and opportunities for financial entities. The following framework provides a structured approach to reassessing cloud and third-party strategy in light of the designations:
Tier 1: Immediate Actions (0-3 Months)
Map your CTPP exposure. For each of the 19 designated CTPPs, determine: which critical or important functions depend on this CTPP, what data is processed, what is the blast radius of a CTPP failure, and what is the current exit strategy readiness.
Update your Art. 28 register. Ensure that your ICT third-party risk register reflects the CTPP status of designated providers. This should be flagged in your register and in your board reporting (Art. 14).
Review contract compliance. Verify that your contracts with CTPPs include the Art. 30 minimum provisions and do not conflict with the Lead Overseer oversight requirements.
Tier 2: Medium-Term Adjustments (3-12 Months)
Concentration risk quantification. Calculate your criticality-weighted HHI across the CTPP list. What percentage of your critical functions depend on a single CTPP? What is the correlated failure risk across multiple CTPPs (e.g., if AWS and ServiceNow both experience issues simultaneously, how many critical functions are affected)?
Exit strategy validation. For each CTPP supporting a critical function, validate your exit strategy credibility. The ESAs' determination that these providers are difficult to substitute at systemic level should inform your exit strategy timeline assumptions — they are likely longer than your current estimates.
Negotiate oversight-compatible contracts. As contracts come up for renewal, ensure terms are compatible with the Lead Overseer regime. Include provisions for cooperation with Joint Examination Teams, acceptance of Lead Overseer directions, and information sharing relevant to regulatory oversight.
Tier 3: Strategic Positioning (12+ Months)
Architecture decisions. The CTPP list influences cloud architecture strategy. Designing for portability across CTPPs — containerized workloads, infrastructure-as-code, standard APIs — reduces the concentration risk that the designation regime highlights. This is not an argument for multi-cloud for its own sake, but for intentional architecture decisions that preserve optionality.
Board-level cloud strategy. Present the CTPP landscape to the management body (Art. 14). Board members should understand: which CTPPs the entity depends on, the Lead Overseer's role in mitigating systemic risk, the entity's concentration exposure, and the strategic options for managing that exposure.
Industry coordination. Financial entities sharing the same CTPPs have shared risk. Industry associations, ISACs, and Joint Examination Teams create forums for coordinated oversight that individual institutions cannot achieve alone. Engage with these mechanisms proactively.
The Broader Significance
The CTPP designation is unprecedented. Financial regulators have, for the first time, asserted direct supervisory authority over technology companies — not because those companies are financial entities, but because the financial sector's operational resilience depends on them. This is a regulatory acknowledgment that the boundary between financial services and technology services has blurred to the point where the operational resilience of one cannot be assessed without examining the other.
For the 19 designated CTPPs, the immediate impact is operational: compliance programs, EU subsidiary structuring, engagement with Lead Overseers, and adaptation to regulatory expectations designed for the financial sector. For financial entities, the impact is strategic: the regulators have mapped the concentration landscape, identified the critical dependencies, and created an oversight mechanism that supplements (but does not replace) the entity's own third-party risk management.
The next 12 months will reveal how the Lead Overseer regime operates in practice — how recommendations are issued, how CTPPs respond, how Joint Examination Teams function, and whether the oversight framework achieves its objective of reducing systemic risk without disrupting the cloud services that the financial sector depends on. Financial entities that engage proactively — reassessing concentration, validating exit strategies, and building oversight-compatible governance — will be positioned to navigate this new landscape. Those that treat the CTPP list as a regulatory curiosity rather than a strategic signal will be less prepared when the first Lead Overseer findings are published.
This analysis reflects the ESA designation of 19 CTPPs published November 18, 2025, under DORA Regulation (EU) 2022/2554 Article 31, and the Delegated Regulations on oversight fees (EU 2024/1502) and Joint Examination Teams (EU 2025/420).