Please note, your browser is out of date.
 For a good browsing experience we recommend using the latest version of Chrome, Firefox, Safari, Opera or Internet Explorer.
Advanced Search

Designation of Critical Entities – DORA Regulation

SÉRVULO PUBLICATIONS 19 Dec 2025

The European Supervisory Authorities – EBA, EIOPA, and ESMA – have published the first official list of critical third-party ICT providers (CTPPs) under Regulation (EU) 2022/2554, commonly known as the DORA Regulation. The process involved collecting data from financial entities’ information registers, followed by a thorough assessment of their systemic importance, the role they play in the functioning of financial institutions, and the substitutability of their services.

A total of 19 providers were designated:

  • Accenture plc
  • Amazon Web Services EMEA Sarl
  • Bloomberg L.P.
  • Capgemini SE
  • Colt Technology Services
  • Deutsche Telekom AG
  • Equinix (EMEA) B.V.
  • Fidelity National Information Services, Inc.
  • Google Cloud EMEA Limited
  • International Business Machine Corporation
  • InterXion HeadQuarters B.V.
  • Kyndryl Inc.
  • LSEG Data and Risk Limited
  • Microsoft Ireland Operations Limited
  • NTT DATA Inc.
  • Oracle Nederland B.V.
  • Orange SA
  • SAP SE
  • Tata Consultancy Services Limited

With the designation of CTPPs, the impact on financial institutions is significant:

  • Strengthen third-party risk management throughout the entire lifecycle, ensuring contracts comply with DORA requirements. Maintain an updated register of all ICT providers, highlighting those supporting critical functions, and be prepared to respond to supervisory requests.
  • If the European Supervisory Authorities issue recommendations to CTPPs, entities may need to assess impacts and implement corrective measures.
  • Prepare contingency plans to replace providers, if necessary, test failure scenarios, ensure data can be transferred easily, and guarantee rapid notifications in case of incidents. Analyze root causes and collaborate in security testing (TLPT) with CTPPs.
  • Enhance governance and visibility across the entire subcontracting chain, including indirect providers, data processing locations, and applicable laws, ensuring compliance with data protection rules and regulatory access.
  • Clearly demonstrate which critical functions depend on CTPPs, how controls and tests cover these dependencies, and how conclusions from European supervision are incorporated into risk management.
  • These measures require a deep review of outsourcing policies and operational risk management strategies.

 

Beatriz Figueiredo Teixeira | bft@servulo.com

Sara Ti | sct@servulo.com

 

 

download PDF
Expertise Relacionadas
TMT
Related Lawyers
Beatriz de Figueiredo Teixeira Sara Ti