DORA: First Critical ICT Providers Named
- Katarzyna Celińska
- Dec 9, 2025
- 2 min read
The European Supervisory Authorities have officially published the first-ever list of Critical ICT Third-Party Providers under DORA.
This marks the real start of Europe’s new oversight regime — placing some of the world’s largest technology and service providers under direct EU supervision due to their hasztag#systemic importance to financial stability.
Regulators applied DORA’s full methodology:
➡️ mapping dependencies using ICT registers,
➡️ analysing substitutability,
➡️ evaluating systemic impact,
➡️ and allowing providers to respond before final designation.
Photo: https://pl.freepik.com/
Europe’s financial system depends heavily on a concentrated group of global cloud, data, and infrastructure providers.
According to the ESAs, the following companies are the first CTPPs at EU level:
✅ Accenture plc
✅ Amazon Web Services EMEA Sarl
✅ Bloomberg L.P.
✅ Capgemini SE
✅ Colt Technology Services
✅ Deutsche Telekom AG
✅ Equinix (EMEA) B.V.
✅ Fidelity National Information Services, Inc. (FIS)
✅ Google Cloud EMEA Limited
✅ International Business Machines Corporation (IBM)
✅ InterXion HeadQuarters B.V.
✅ Kyndryl Inc.
✅ LSEG Data and Risk Limited
✅ Microsoft Ireland Operations Limited
✅ NTT DATA Inc.
✅ Oracle Nederland B.V.
✅ Orange S.A.
✅ SAP SE
✅ Tata Consultancy Services Limited (TCS)
This is a very clear picture of where systemic ICT risk is concentrated:
global cloud and infrastructure providers
data and market-infrastructure providers
core software and platform vendors
large consulting and integration firms
a small number of telecom and connectivity providers
I’m not surprised that most of these names have been designated as critical — they are deeply embedded in the infrastructure of European finance.
For me, a few points are particularly interesting:
1️⃣ Why are consulting and integration companies recognized as critical?
✅ But what exactly makes them so important?
✅ Is it because they run and maintain core banking platforms?
✅ Because they integrate systems that cannot fail without systemic impact?
✅ Because they operate outsourced environments essential to daily operations?
✅ Because they manage migration, architecture, and high-risk transformation projects?
2️⃣ Why are there so few telecom providers?
Only two telecom operators appear on the list: Deutsche Telekom and Orange.
Given that the entire financial system depends on connectivity, this raises additional questions:
✅ Are other telecom providers considered less critical?
✅ Will we see more telcos added in future updates as regulators refine their view of network-level concentration risk
Author: Sebastian Burgemejster
Comments