EU Regulators Name First Critical ICT Providers Under DORA

Key Takeaways

• DORA Oversight Launch: Regulators published the first list of critical ICT third-party providers, formally initiating DORA’s direct supervision regime.
• Full Methodology Applied: The ESAs followed DORA’s required process end to end, including register reviews, criticality assessments, and provider notification.
• Concentrated Digital Dependencies: The final list includes major cloud, data, and infrastructure firms whose services underpin core financial operations across the EU.
• Next Phase of Supervision: With the designations public, regulators now begin examining ICT risk management, operational resilience, and service continuity.

Deep Dive

The European Supervisory Authorities have taken a step in bringing the Digital Operational Resilience Act (DORA) to life, unveiling the first set of technology firms that will fall under direct EU oversight for the stability of the financial system. The designations set the formal launch of DORA’s supervision regime for critical ICT third-party providers.

Regulators followed DORA’s required methodology from end to end. They began by reviewing ICT service registers maintained by financial institutions across the EU, a detailed map of who relies on whom for cloud hosting, data processing, infrastructure, and other essential technology services. Working with national competent authorities, the ESAs then ran a cross-sector criticality assessment looking at systemic impact, the importance of the functions supported, and how easily services could be substituted in the event of a disruption.

Providers considered potentially critical were notified and given the chance to respond before final decisions were made, which is a step the ESAs said was essential to ensuring the integrity of the process.

The final list reflects the concentration of digital dependencies in Europe’s financial sector. It includes several of the world’s largest cloud providers, data platforms, and infrastructure firms, companies whose services underpin everything from core banking systems to market operations. Names include major hyperscalers, global consultancies, and ICT infrastructure groups with extensive reach across the EU market.

With the designations now public, the ESAs move into the next phase of direct oversight. That will involve examining how each provider manages ICT risk, governs its operational resilience, and ensures continuity of the services that European financial institutions depend on.

Regulators said they will continue to engage with the designated firms as examination activities begin, marking a new level of supervisory scrutiny for technology providers that sit at the heart of the EU’s financial ecosystem.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.