DORA: First Critical ICT Providers Named

The European Supervisory Authorities have officially published the first-ever list of Critical ICT Third-Party Providers under DORA.

This marks the real start of Europe’s new oversight regime — placing some of the world’s largest technology and service providers under direct EU supervision due to their hasztag#systemic importance to financial stability.

Regulators applied DORA’s full methodology:

➡️ mapping dependencies using ICT registers,

➡️ analysing substitutability,

➡️ evaluating systemic impact,

➡️ and allowing providers to respond before final designation.

Photo: https://pl.freepik.com/

Europe’s financial system depends heavily on a concentrated group of global cloud, data, and infrastructure providers.

According to the ESAs, the following companies are the first CTPPs at EU level:

✅ Accenture plc

✅ Amazon Web Services EMEA Sarl

✅ Bloomberg L.P.

✅ Capgemini SE

✅ Colt Technology Services

✅ Deutsche Telekom AG

✅ Equinix (EMEA) B.V.

✅ Fidelity National Information Services, Inc. (FIS)

✅ Google Cloud EMEA Limited

✅ International Business Machines Corporation (IBM)

✅ InterXion HeadQuarters B.V.

✅ Kyndryl Inc.

✅ LSEG Data and Risk Limited

✅ Microsoft Ireland Operations Limited

✅ NTT DATA Inc.

✅ Oracle Nederland B.V.

✅ Orange S.A.

✅ SAP SE

✅ Tata Consultancy Services Limited (TCS)

This is a very clear picture of where systemic ICT risk is concentrated:

global cloud and infrastructure providers

data and market-infrastructure providers

core software and platform vendors

large consulting and integration firms

a small number of telecom and connectivity providers

I’m not surprised that most of these names have been designated as critical — they are deeply embedded in the infrastructure of European finance.

For me, a few points are particularly interesting:

1️⃣ Why are consulting and integration companies recognized as critical?

✅ But what exactly makes them so important?

✅ Is it because they run and maintain core banking platforms?

✅ Because they integrate systems that cannot fail without systemic impact?

✅ Because they operate outsourced environments essential to daily operations?

✅ Because they manage migration, architecture, and high-risk transformation projects?

2️⃣ Why are there so few telecom providers?

Only two telecom operators appear on the list: Deutsche Telekom and Orange.

Given that the entire financial system depends on connectivity, this raises additional questions:

✅ Are other telecom providers considered less critical?

✅ Will we see more telcos added in future updates as regulators refine their view of network-level concentration risk

Link

Author: Sebastian Burgemejster