The 19 CTPPs: How ESA Designation Changed the Cloud Provider-Bank Relationship Forever

The Designation Criteria and Process

The CTPP designation was not arbitrary — it followed a structured assessment process defined by DORA Art. 31 and detailed in the Delegated Regulation 2025/420 establishing the rules for the Joint Examination Teams (JETs).

Art. 31 designation criteria. The ESAs assessed each provider against four primary criteria:

1. Systemic impact of failure: Would the failure of this provider's services cause significant disruption to the financial services sector? For the five cloud providers (AWS, Google, Microsoft, Oracle, SAP), the answer was unambiguous — the AWS October 2025 outage (CS02) and Azure Front Door outage (CS05) had provided empirical evidence of systemic impact within the months preceding designation.

2. Degree of dependence: To what extent do financial entities depend on this provider for critical or important functions? The Register of Information data submitted in April 2025 (CS08) provided the quantitative foundation: aggregated register data revealed the concentration patterns that identified which providers served a critical mass of financial entities.

3. Substitutability: Could financial entities replace this provider with an alternative within a reasonable timeframe? For deeply integrated services — Bloomberg terminals, FIS core banking, AWS cloud infrastructure — the substitutability assessment confirmed what the industry already knew: these are not easily replaceable.

4. Effect of transfer or cessation: What would be the systemic impact if the provider's services were transferred or ceased? This criterion addresses not just failure but the broader scenario of a provider exiting the European market, being sanctioned, or being acquired by a non-cooperative entity.

The role of Register data. The April 2025 Register of Information submission was critical to the designation process. For the first time, the ESAs had entity-reported, standardized data on which providers serve which financial entities, for which functions, and at what criticality level. This data transformed the designation from a qualitative judgment into an evidence-based process.

Non-EU providers and the subsidiary requirement. Several designated CTPPs — including AWS, Google, and Microsoft — are headquartered outside the EU. DORA requires non-EU CTPPs to establish an EU subsidiary within 12 months of designation. This requirement ensures that the Lead Overseer has a legal entity within EU jurisdiction to engage with, and that the CTPP is subject to EU data governance and operational standards.

Delegated Regulation 2025/420 — JET rules. The Delegated Regulation establishing the rules for Joint Examination Teams was adopted alongside the designation. JETs are the operational mechanism through which the Lead Overseer conducts oversight activities — inspections, information requests, and assessments of CTPP resilience. The JET framework ensures that oversight is conducted by teams with the appropriate technical expertise and cross-sectoral perspective.

The Designation That Changed Everything

On November 18, 2025, the European Supervisory Authorities — the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) — jointly designated 19 ICT third-party service providers as Critical Third-Party Providers (CTPPs) under DORA Art. 31. This was the first time in the history of European financial regulation that technology service providers were subjected to direct regulatory oversight by financial supervisory authorities — a structural shift in the relationship between the financial sector and its technology infrastructure providers.

The designated providers spanned five categories of ICT service delivery:

Cloud infrastructure and platforms: Amazon Web Services (AWS), Google Cloud Platform, Microsoft Azure, Oracle Cloud Infrastructure, and SAP. These five providers collectively underpin a significant proportion of the European financial sector's computing, storage, and application infrastructure. Their designation as CTPPs means that the ESAs now have direct oversight authority over their global operations insofar as those operations support EU-regulated financial entities.

Telecommunications and data center infrastructure: Deutsche Telekom, Equinix, and InterXion (a Digital Realty company). These providers supply the physical network and co-location infrastructure that connects financial institutions to each other, to payment systems, and to their customers.

Financial data and analytics: Bloomberg and FIS (Fidelity National Information Services). Bloomberg's terminal network and data services are deeply embedded in trading, risk management, and compliance operations across the European financial sector. FIS provides core banking, payment processing, and capital markets technology.

Other critical ICT service providers: The remaining nine designated CTPPs included a range of providers across cybersecurity, managed services, and specialized financial technology — each meeting the designation criteria of systemic impact, dependency, and limited substitutability.

The designation was not a surprise — the regulatory groundwork had been laid years in advance. But the formal exercise of designation power transformed DORA's Pillar IV from a theoretical framework into an operational supervisory regime with real consequences for both financial entities and their technology providers.

The Oversight Powers Activated

The CTPP designation activated a comprehensive set of oversight powers under DORA Art. 32-44 that fundamentally changed the regulatory landscape for technology providers serving the financial sector.

Art. 33 — Lead Overseer Powers

Each designated CTPP was assigned a Lead Overseer — one of the three ESAs, selected based on the sectoral profile of the financial entities most dependent on the provider. The Lead Overseer has the following powers:

General investigations (Art. 35): The Lead Overseer can require a CTPP to provide information, documents, and data relevant to the oversight function. This includes information about the CTPP's ICT risk management framework, service resilience capabilities, incident response procedures, and change management practices.

On-site inspections (Art. 36): The Lead Overseer can conduct on-site inspections at the CTPP's premises — including data centers, development facilities, and operations centers. For cloud providers accustomed to operating behind carefully controlled customer interfaces, on-site regulatory inspection represents a significant change in the oversight relationship.

Recommendations (Art. 35): Following an assessment, the Lead Overseer can issue recommendations to a CTPP addressing identified risks or deficiencies. While recommendations are not directly legally binding on the CTPP (which is not a regulated financial entity), they trigger a comply-or-explain mechanism: if the CTPP does not follow a recommendation, financial entities using the CTPP's services must assess whether to continue the arrangement.

Penalty power for non-cooperation: If a CTPP fails to cooperate with the Lead Overseer — refusing information requests, obstructing inspections, or failing to respond to recommendations — the ESAs can impose periodic penalty payments of up to 1% of the CTPP's average daily worldwide turnover in the preceding business year, applied daily for up to six months. For a provider like AWS or Microsoft, 1% of daily worldwide turnover represents a material financial penalty.

Art. 29 — Implications for Financial Entities

The CTPP designation has direct implications for financial entities' concentration risk assessments under Art. 29. The designation confirms — at the regulatory level — that the designated providers represent systemic concentration risk. Financial entities must update their Art. 29 assessments to reflect the designation, including evaluating their own dependency on designated CTPPs, assessing substitutability, and documenting exit strategies under Art. 28(8).

The Extraterritorial Dimension

The designation of non-EU providers creates an extraterritorial oversight dimension. The Lead Overseer's powers extend to the CTPP's global operations insofar as they support EU-regulated financial entities. This means that an AWS data center in Virginia or a Google Cloud region in Singapore that hosts workloads for EU-regulated banks falls within the scope of the Lead Overseer's information requests and assessments.

The EU subsidiary requirement (12-month deadline from designation) creates a permanent EU presence for non-EU CTPPs, ensuring that the Lead Overseer has a legal entity within EU jurisdiction. This requirement has prompted significant organizational adjustments by the designated providers, who must establish or expand their EU regulatory affairs capabilities.

The Precedent for Global Regulation

The CTPP designation framework is the first regulatory regime globally that subjects technology service providers to direct financial regulatory oversight. Other jurisdictions — the UK (with its critical third-party regime), Singapore (with its MAS outsourcing guidelines), and the UAE (with its CBUAE cloud guidelines) — are developing parallel frameworks that reference DORA's approach. The November 2025 designation established the operational precedent that future jurisdictions will either adopt or adapt.

The New Regulatory Landscape

The November 2025 CTPP designation created a fundamentally new regulatory dynamic in the relationship between financial institutions and their technology providers. The implications are structural, not incremental.

For Designated CTPPs

Regulatory engagement becomes permanent. The designated CTPPs now maintain ongoing relationships with their Lead Overseers, including regular reporting, periodic assessments, and responsiveness to information requests. For providers like AWS, Google, and Microsoft — accustomed to interacting with financial institutions through commercial contracts and SLAs — the addition of a direct regulatory relationship with EU financial supervisory authorities represents a significant expansion of their compliance obligations.

EU subsidiary establishment. Non-EU CTPPs must establish EU subsidiaries within 12 months of designation. This requirement has driven organizational changes including the establishment of EU-based regulatory affairs teams, local governance structures, and EU-resident senior management responsible for Lead Overseer engagement.

Operational transparency increases. The Lead Overseer's powers of investigation and on-site inspection mean that CTPPs must be prepared to provide detailed information about their ICT risk management frameworks, change management procedures, incident response capabilities, and service resilience architectures. The level of operational transparency expected is significantly beyond what providers have historically shared with customers through commercial documentation.

For Financial Entities

Concentration risk is now regulatory fact. The designation confirms that dependency on CTPPs represents regulatory-grade concentration risk. Financial entities can no longer treat cloud provider dependency as a commercial arrangement outside the scope of their ICT risk management framework — it is now explicitly within DORA's regulatory perimeter.

Exit strategy requirements sharpen. With designated CTPPs subject to oversight that could result in recommendations, compliance orders, or — in extreme cases — decisions that affect service availability, financial entities must ensure their Art. 28(8) exit strategies are not theoretical. The possibility that regulatory action could affect a CTPP's ability to serve EU financial entities adds a new dimension to exit strategy planning.

Register data quality matters more. The register data that informed the designation process will also inform ongoing supervisory assessments. Financial entities whose register data is inaccurate, incomplete, or outdated may face supervisory scrutiny — and their risk management decisions may be based on a false picture of their actual dependency patterns.

The Broader Significance

The CTPP designation framework represents a paradigm shift in technology regulation. For the first time, a regulatory authority has claimed — and exercised — the power to directly oversee the technology infrastructure that underpins an entire economic sector. The November 2025 designation is not just a DORA milestone; it is a precedent for how governments will regulate critical technology dependencies in the digital economy.

The 19 designated CTPPs collectively represent the technology infrastructure backbone of the European financial system. Their operational resilience — their ability to maintain service continuity, recover from failures, and resist cyberattacks — is now a matter of regulatory oversight, not just commercial contract compliance. This is the fundamental change that DORA's Pillar IV was designed to achieve, and the November 2025 designation made it operational reality.