ARTICLE
28 November 2025

ESAs Publish List Of Critical ICT Third Party Service Providers Under EU DORA

KM
Katten Muchin Rosenman LLP

Contributor

Katten Muchin Rosenman LLP logo
Katten is a firm of first choice for clients seeking sophisticated, high-value legal services globally. Our nationally and internationally recognized practices include corporate, financial markets and funds, insolvency and restructuring, intellectual property, litigation, real estate, structured finance and securitization, transactional tax planning, private credit and private wealth.
Explore Firm Details
On 18 November 2025, the European Supervisory Authorities (ESAs) published the first list of designated critical information and communication technology (ICT) third party service providers...
European Union Media, Telecoms, IT, Entertainment
Nathaniel W. Lalone and Ciara McBrien
Your Author LinkedIn Connections
Nathaniel W. Lalone’s articles from Katten Muchin Rosenman LLP are most popular:
  • within Media, Telecoms, IT and Entertainment topic(s)
  • with Senior Company Executives, HR and Finance and Tax Executives

On 18 November 2025, the European Supervisory Authorities (ESAs) published the first list of designated critical information and communication technology (ICT) third party service providers (CTPPs) under the EU Digital Operational Resilience Act (DORA). The designations mark a major step in operationalising DORA's third party risk regime, bringing key ICT service providers within a new, EU‑level system of direct oversight.

In the ESAs' accompanying press release, the ESAs explain that the designated CTPPs deliver a range of ICT services (e.g., from core infrastructure to business and data services) to financial entities of all types and sizes across the EU.

The ESAs have followed DORA's mandated methodology to reach these designation decisions. Firstly, the ESAs collected data from the registers of information that financial entities must maintain on their contractual arrangements for ICT services. The ESAs then conducted a detailed, cross‑sector criticality assessment in cooperation with competent authorities. This assessment was carried out in line with the multifaceted criteria set out in DORA, requiring the evaluation of a service provider's systemic importance, its role in supporting critical or important functions for financial entities, and the substitutability of its services. ICT third party providers assessed as critical have been formally notified.

CTPP designation brings service providers within the ESAs' direct oversight. The ESAs will assess whether CTPPs have appropriate risk management and governance frameworks in place to ensure the resilience of the ICT services they deliver to financial entities. This aims to mitigate risks that could impact the operational resilience of the EU financial sector.

This follows the ESAs setting out their supervisory approach in their July 2025 guide on the oversight of CTPPs.

The CTPP list, the press release and the guide are available here, here and here, respectively.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Nathaniel W. Lalone
Nathaniel W. Lalone
Photo of Ciara McBrien
Ciara McBrien
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More