Enforcement

ESAs designate the first critical ICT third-party providers under DORA

Enforcement18 Nov 2025✓ verified 4 Jul 2026

What changed

On 18 November 2025 the European Supervisory Authorities (EBA, EIOPA and ESMA) published the first list of ICT third-party service providers designated as critical under DORA. Designated providers come under direct ESA oversight, which will assess whether they maintain appropriate risk-management and governance frameworks for the services they deliver to the EU financial sector.

Why it matters

DORA's oversight regime is now operating, not theoretical: the major cloud and platform providers that financial entities depend on have an EU supervisor of their own, and oversight findings will flow into firms' third-party risk assessments.

Who is affected

The designated ICT providers directly; every financial entity that relies on them for critical functions indirectly.

What to check next

Check which of your critical ICT vendors appear on the ESAs' list, record the designation in your register of information, and factor ESA oversight into your third-party risk assessments.

Key dates

  • 2025-11-18First designation list published
Source. European Banking Authority — ESAs designate critical ICT third-party providers ↗
Document: ESAs (EBA/EIOPA/ESMA) joint designation of critical ICT third-party service providers under DORA (18 November 2025)
Verified by Trusq against this source on 4 Jul 2026. Trusq publishes only what it can trace to an official source; the source text prevails. Not legal advice.
Relates to DORA
← All updates