DORA's third pillar is the EU-level oversight framework for critical ICT third-party providers (CTPPs). Article 31 of Regulation (EU) 2022/2554 empowers the three European Supervisory Authorities (EBA, EIOPA, and ESMA), acting through the Joint Committee, to designate ICT third-party providers as critical based on quantitative and qualitative criteria reflecting the systemic importance of those providers to the EU financial sector. Designated CTPPs are placed under direct EU oversight by one of the three ESAs acting as Lead Overseer, parallel to but distinct from the national supervision of the financial entities that contract with them. With the first DORA Register of Information submission concluded in April 2025 and validation cycles completed during May 2025, the ESAs have the data they need to issue first designations — and the operational implications for cloud providers, core processing vendors, and other strategic ICT providers are significant.
What is the CTPP designation process?
Article 31(2) sets out the criteria the ESAs must consider. The quantitative element draws on data submitted by financial entities through the Register of Information under Article 28 — specifically the population of EU financial entities that depend on each ICT provider, weighted by criticality of the services received and by the systemic importance of the financial entities themselves. The qualitative element considers substitutability of the provider, the global presence and group structure of the provider, and the degree to which financial entities concentrate critical or important functions on the provider. The Commission adopted the criteria under Article 31(6) through Delegated Regulation (EU) 2024/1502, which specifies the operational metrics and thresholds used to score candidate CTPPs.
How does the Register of Information feed this?
The April 2025 Register of Information submission — the first under DORA — required financial entities to report each contractual arrangement with ICT third-party providers, including provider identifier (LEI where available), provider country of establishment, services provided, criticality classification (critical or important function support, or other), substitutability assessment, and contract dates. The Commission's expectation was that the first cycle would have data quality issues, and the ESAs published guidance during the submission window on common error correction. Submissions to competent authorities ran from 1 April to 15 April 2025, with national competent authorities forwarding the registers to ESAs by 30 April 2025. A second round of validation checks ran throughout May 2025, with re-submission of corrected entries where errors were detected.
# Register of Information fields most relevant to CTPP designation
For each contractual arrangement:
- ICT third-party provider LEI (and parent LEI where applicable)
- country of establishment
- service category (one of the standardised types)
- support for critical or important function (yes/no)
- substitutability assessment (easy / difficult / not substitutable)
- reliance on subcontractors (chain depth)
- contract value
- data location and processing scope
- exit strategy documented (yes/no)
For each ICT third-party provider (aggregated across the register):
- total number of financial entity contracts
- weighted exposure by financial entity systemic importance
- sector spread across financial sector subsectors
- geographic concentration across EU Member States
The aggregate picture from the Register lets the ESAs identify providers that touch a substantial portion of the EU financial sector — typically large cloud providers, core banking system vendors, and major SaaS providers used across the industry.
Which providers will be designated?
The ESAs have not pre-named designation candidates, but the structural picture is publicly observable. Hyperscale cloud providers — Amazon Web Services, Microsoft Azure, Google Cloud Platform — have very high contract counts across the EU financial sector and the supplier substitutability for many workloads is low in practical terms even if technically possible. Core banking platform vendors, market data providers, and major SaaS providers operating in compliance and risk management likewise have high concentration. Industry analysts expect the first wave of CTPP designations in 2025-2026 to include several hyperscalers and a handful of strategic vendors specific to financial services, with subsequent waves expanding coverage as the data picture matures.
What happens to a designated CTPP?
Designation under Article 31 brings the provider under direct ESA oversight. The Joint Committee assigns one of the three ESAs as Lead Overseer based on the provider's primary services. The Lead Overseer can request information, conduct inspections (on-site and off-site), require remediation, and ultimately impose periodic penalty payments of up to 1% of the average daily worldwide turnover of the provider for the preceding financial year. The designated provider must designate a coordination point in the EU and cooperate with oversight activities. Crucially, designation does not transfer the obligations of the financial entities themselves — they retain their Article 28 third-party risk management duties — but adds a layer of direct provider-level scrutiny by EU authorities.
What is the Oversight Forum?
The Lead Overseer for each CTPP runs an Oversight Forum that includes the Lead Overseer, the other two ESAs, the national competent authorities of the Member States most affected by the CTPP, and the Commission as observer. The Forum conducts the oversight cycle, including the annual general oversight assessment, on-site inspections, and the issuance of recommendations to the CTPP. The annual oversight cycle is structured: information requests in Q1, on-site inspection in Q2, draft recommendations in Q3, finalisation and publication in Q4. The first full cycles will run from late 2025 through 2026.
How does this affect financial entity due diligence?
Financial entities contracting with CTPPs retain their full DORA Article 28 obligations. CTPP designation does not reduce the entity's duty to assess and manage the third-party risk. However, designation does provide additional comfort because the Lead Overseer's findings and recommendations are visible to the financial entity, and remediation of identified weaknesses is tracked at EU level. The Subcontracting RTS (Commission Delegated Regulation (EU) 2025/532) applies in parallel: the financial entity must still assess subcontracting arrangements even where the head provider is a designated CTPP, although CTPP-level documentation often streamlines the assessment because the chain is reviewed centrally.
What about non-EU providers?
A CTPP established outside the EU faces additional structural obligations under Article 31(12). Such a provider must, within 12 months of designation, establish a subsidiary in the EU through which it provides the relevant ICT services to EU financial entities. The provision is intended to ensure direct enforceability of EU oversight in respect of the provider. Some providers may restructure existing EU presence to meet the obligation; others may transfer specific service lines to an EU-established affiliate. The 12-month clock is firm in the text and the Lead Overseer can use the periodic penalty payment power to enforce compliance.
What is the timeline?
The first designations under Article 31 are expected during 2025-2026, drawing on the April 2025 Register submission and subsequent updates. The provider's right to make submissions and the consultation period before designation typically run for several months. Once designated, the 12-month subsidiary establishment clock starts for non-EU providers. The annual oversight cycle begins immediately. Financial entities should prepare for the disclosure of CTPP designation lists and integrate that information into their ongoing third-party risk management — specifically, contracts with designated providers may need addenda to reflect the new oversight relationship, and exit strategies may need refresh given the regulatory commitment to the relationship.
How should ICT third-party providers prepare?
Three steps. First, assess the likelihood of designation — providers with broad EU financial sector exposure should expect to be in scope and plan accordingly. Second, prepare the substitutability narrative — providers that can demonstrate strong customer multi-cloud or multi-vendor architectures may argue against designation on the substitutability criterion, while providers whose services are practically irreplaceable will need to accept designation and engage constructively. Third, build out the EU coordination point, the subsidiary structure (for non-EU providers), and the governance to support oversight cycle interactions.
How Safeguard Helps
Safeguard's TPRM module captures the ICT third-party provider data financial entities need for both the Register of Information submission under Article 28 and the parallel CTPP-aware contracting that follows designation. Where a designated CTPP is in the customer's supply chain, the platform tracks Oversight Forum recommendations and the provider's remediation progress, integrating that data into the financial entity's own ICT third-party risk view. For ICT providers themselves who may face CTPP designation, Safeguard generates the structured evidence packs the Lead Overseer expects during oversight cycles — control inventories, vulnerability handling records, incident histories, and substitutability analyses — in a form that supports both regulatory submissions and customer due diligence simultaneously.