The First CTPP Designations: A Strategic Analysis for Financial Entities
A Regulatory First
On November 18, 2025, the European Supervisory Authorities exercised one of the most consequential powers in modern financial regulation: the designation of 19 Critical Third-Party Providers (CTPPs) under DORA Article 31. For the first time in regulatory history, EU financial supervisors gained direct oversight authority over the technology companies that underpin the European financial system.
The designation list was anticipated but not predetermined. The financial sector had debated which providers would be designated, which criteria would prevail, and what the practical implications would be. The answer, when it arrived, was broader than many expected. The 19 designated CTPPs span five categories, reflecting the full breadth of ICT dependencies that DORA's framers intended to bring under supervisory oversight.
The 19 Designated CTPPs
| Category | Designated CTPPs | Primary financial sector dependency |
|---|---|---|
| Cloud infrastructure | AWS, Google Cloud, Microsoft Azure, Oracle Cloud | Compute, storage, networking for core banking, payments, analytics |
| Enterprise software | SAP, Microsoft (365/Dynamics) | ERP, treasury, risk management, back-office operations |
| Telecommunications | Deutsche Telekom, Equinix, InterXion | Network connectivity, data center colocation, interconnection |
| Financial data | Bloomberg, Refinitiv (LSEG) | Market data, trading infrastructure, reference data |
| Financial technology | FIS, Temenos, Finastra, SS&C | Core banking platforms, payment processing, asset management |
The designation reflects a systemic risk analysis: each of these providers, if it were to experience a major operational failure, would affect a critical mass of EU financial entities simultaneously. The designation criteria under Art. 31(2) — including the number of dependent financial entities, the criticality of supported functions, and the degree of substitutability — were applied rigorously.
What Designation Means: The Oversight Framework
Designation transforms a technology provider's regulatory status. Before designation, a provider's relationship with financial regulators was indirect — mediated through the financial entities that contracted with it. After designation, the provider has a direct relationship with its assigned Lead Overseer (EBA, ESMA, or EIOPA) and is subject to:
Direct examination powers. The Lead Overseer can conduct on-site and off-site examinations of the CTPP's operations, including data center inspections, governance reviews, and security testing assessments (Art. 35-36).
Information request powers. The CTPP must provide any information the Lead Overseer requests that is relevant to oversight activities. Refusal or obstruction triggers the penalty framework (Art. 35(1)).
Recommendation authority. The Lead Overseer can issue formal recommendations requiring the CTPP to address identified risks, strengthen controls, or modify practices (Art. 35(1)(d)).
Penalty powers. Non-compliance with recommendations can result in penalties of up to 1% of the CTPP's average daily worldwide turnover per day of non-compliance (Art. 35(8)). For the largest cloud providers, this represents potential daily penalties in the tens of millions of euros.
EU subsidiary requirement. Non-EU CTPPs must establish a subsidiary within the EU within 12 months of designation (Art. 31(12)). This ensures the Lead Overseer has a legal entity within EU jurisdiction against which it can exercise its powers.
Category Analysis: Cloud Infrastructure
The designation of AWS, Google Cloud, Microsoft Azure, and Oracle Cloud as CTPPs was the most anticipated component of the November announcement. These four providers collectively host the vast majority of EU financial sector cloud workloads.
Implications for the cloud providers:
- Each must designate a Lead Overseer liaison and prepare for JET examinations
- Multi-region architecture, disaster recovery capabilities, and incident management processes will be subject to regulatory scrutiny
- Sub-outsourcing chains (including hardware suppliers, subsea cable operators, and power providers) must be documented and available for review
- Security testing practices and vulnerability management will be examined against financial sector expectations
Implications for financial entities using these providers:
- Art. 29 concentration risk assessments must be updated to reflect the CTPP designation status
- Exit strategies under Art. 28(8) gain urgency — if a designated CTPP receives a critical finding from the Lead Overseer, dependent financial entities must have contingency plans
- Contractual provisions must meet Art. 30 requirements, including audit rights that now operate alongside (not as a substitute for) regulatory oversight
- The Register of Information (Art. 28(3)) entries for designated CTPPs must be complete and accurate
Category Analysis: Financial Technology
The designation of FIS, Temenos, Finastra, and SS&C reflects the financial sector's dependence on specialized technology platforms for core operations. Unlike cloud providers, which offer general-purpose infrastructure, these companies provide financial-sector-specific platforms: core banking systems, payment engines, asset management platforms, and securities processing systems.
| Financial technology CTPP | Primary services | Substitutability challenge |
|---|---|---|
| FIS | Payment processing, core banking, capital markets technology | Deep integration with payment networks; migration measured in years |
| Temenos | Core banking platform (T24/Transact) | Proprietary data models; migration requires complete system replacement |
| Finastra | Treasury, lending, trade finance | Specialized in capital markets workflow; few direct alternatives at scale |
| SS&C | Asset management, fund administration | Embedded in fund accounting and transfer agency operations |
The substitutability challenge for financial technology CTPPs is arguably more acute than for cloud providers. A bank can theoretically migrate from one cloud provider to another (given sufficient time and investment). Replacing a core banking platform is a multi-year, institution-defining project that most banks undertake at most once per decade.
This substitutability constraint directly informs Art. 29 concentration risk assessments. Financial entities dependent on a designated financial technology CTPP face concentration risk that cannot be mitigated through diversification alone — exit strategy credibility and the CTPP's own operational resilience become the primary risk management levers.
Category Analysis: Financial Data
Bloomberg and Refinitiv (LSEG) occupy a unique position in the financial infrastructure. Market data is not merely an input to trading — it is the foundation of price discovery, risk management, regulatory reporting, and client communication. A Bloomberg Terminal outage does not just inconvenience traders; it removes the information infrastructure that enables informed financial decision-making.
The designation of financial data providers as CTPPs recognizes this systemic importance. It also creates a novel supervisory challenge: financial data providers operate at the intersection of market infrastructure (traditionally regulated) and ICT service provision (newly regulated under DORA). The Lead Overseer must navigate this intersection, ensuring that oversight of operational resilience does not inadvertently interfere with market data provision.
The Financial Entity Action Framework
The CTPP designations trigger specific obligations for every financial entity that contracts with a designated provider. The following action framework maps these obligations to implementation timelines:
Immediate Actions (30 days)
1. Identify your CTPP dependencies. Cross-reference the 19 designated CTPPs against your Register of Information. Document which critical or important functions depend on each designated CTPP.
2. Classify dependency criticality. For each CTPP relationship, classify whether the dependency supports a critical function (Art. 3(22)), an important function, or a non-critical function. The classification determines the intensity of required risk management.
3. Notify the management body. Art. 5 governance obligations require the board to be informed of material developments affecting the institution's ICT risk posture. The CTPP designations are material. Board minutes should document awareness and any decisions taken.
Short-Term Actions (90 days)
4. Update concentration risk assessment. Art. 29 requires concentration risk assessment that accounts for the CTPP's designation status. The assessment should now incorporate:
- The number of critical functions dependent on each designated CTPP
- The provider's substitutability (particularly for financial technology CTPPs)
- Whether other institutions in your market segment depend on the same CTPP (systemic concentration)
- The impact of a potential regulatory recommendation or penalty on the CTPP's service provision
5. Review and update exit strategies. Art. 28(8) exit strategies for designated CTPPs must be reassessed for credibility. The designation adds a new exit trigger: regulatory action against the CTPP. Exit strategies should address the scenario where the Lead Overseer imposes restrictions that affect the CTPP's ability to serve financial entities.
6. Verify Art. 30 contractual compliance. Contracts with designated CTPPs must include all mandatory provisions of Art. 30, with particular attention to:
- Audit rights (Art. 30(2)(e)) — now operating alongside regulatory oversight
- Subcontracting provisions (Art. 30(2)(a))
- Termination and transition assistance (Art. 30(2)(f))
- Data access and return provisions (Art. 30(3))
Medium-Term Actions (180 days)
7. Assess sub-outsourcing exposure. Designated CTPPs themselves rely on sub-contractors. AWS relies on hardware manufacturers, network providers, and power utilities. FIS relies on cloud infrastructure, data centers, and telecommunications. Map your exposure to the CTPP's sub-outsourcing chain.
8. Evaluate multi-provider strategies. For critical functions dependent on a single designated CTPP, assess the feasibility and cost of multi-provider arrangements. This is most relevant for cloud infrastructure (where multi-cloud is architecturally possible, if expensive) and least relevant for core banking platforms (where substitution is a multi-year programme).
9. Prepare for regulatory information requests. NCAs participating in JET examinations of designated CTPPs may request information from dependent financial entities about their experience with the provider: service disruptions, SLA performance, contractual concerns. Maintain records that enable rapid, accurate response.
The Second-Order Effects
Beyond the direct obligations, the CTPP designations produce second-order effects that will reshape the relationship between financial entities and their technology providers over time:
Power rebalancing. The designation creates a regulatory counterweight to the market power of large technology providers. A hyperscale cloud provider negotiating contract terms with a single mid-sized bank has overwhelming bargaining power. The same provider negotiating in the shadow of Lead Overseer oversight and potential daily penalties of 1% of worldwide turnover faces a more balanced negotiation.
Standardization pressure. As the Lead Overseer examines designated CTPPs and issues recommendations, a de facto standard for ICT service provision to the financial sector will emerge. CTPPs will adopt these standards to satisfy regulatory expectations, and the standards will cascade to non-designated providers seeking to compete.
Innovation implications. Regulatory oversight imposes compliance costs on designated CTPPs. This may affect the speed at which new features and services are deployed for financial sector clients, as regulatory review becomes part of the product development process. The tension between innovation speed and regulatory assurance will be a defining dynamic of the oversight regime's first years.
Market entry barriers. CTPP designation criteria include scale of financial sector dependency — which means the designation regime implicitly favors incumbents. A new cloud provider seeking to serve the European financial sector faces the prospect of CTPP designation once it reaches sufficient scale, creating a regulatory compliance cost that may deter market entry.
What Comes Next
The November 2025 designations are the first batch. Art. 31 provides for ongoing review of the CTPP list, with new designations possible as the financial sector's ICT dependency landscape evolves. Emerging technology categories — AI model providers, blockchain infrastructure operators, cybersecurity-as-a-service platforms — may face designation in future cycles.
For financial entities, the strategic imperative is clear: understand your CTPP dependencies, manage the concentration risk they create, maintain credible exit strategies, and prepare for a supervisory environment where your technology providers are no longer beyond regulatory reach.
This analysis reflects the CTPP designations published by the ESAs on November 18, 2025, under DORA Article 31. The specific CTPPs listed are based on public designations and may be supplemented by additional designations in subsequent ESA determinations.