DORA Critical ICT Third-Party Provider Designation 2026 — What CASPs Need to Know

What CTPP designation actually does

DORA’s Critical ICT Third-Party Provider (CTPP) framework is the most operationally-significant DORA development in 2025-2026. The framework, established under DORA Articles 31-44, brings systemically-important ICT providers under direct EU-level supervisory oversight by the ESAs Joint Committee (EBA, EIOPA, ESMA collectively).

The substantive mechanism:

ESAs Joint Committee identifies CTPPs — based on criteria including systemic importance, substitutability, criticality of services to financial entities, geographic concentration, and number of financial-entity users.

CTPPs subject to DORA Oversight Framework — substantive supervisory obligations: governance arrangements, risk management, business-continuity infrastructure, security controls, cooperation with Lead Overseer.

Each CTPP assigned a Lead Overseer — one of the three ESAs designated as primary supervisor. The Lead Overseer conducts on-site inspections, requires governance changes, can impose penalties.

Financial entities (including CASPs) using CTPPs maintain substantive obligations — governance documentation, concentration monitoring, Article 30 contractual arrangements, ongoing relationship management.

The framework is novel in EU financial-services regulation. It’s the first time non-financial-entity providers (cloud providers, SaaS firms, specialised infrastructure providers) face direct EU supervisory oversight as a consequence of their financial-entity user base.

The CTPP designation criteria

ESAs Joint Committee designation uses objective criteria with substantive judgement components:

Systemic importance — the substantive impact of provider service disruption on EU financial-entity ecosystem operational continuity. A provider serving 80% of EU banks would be systemically important; a provider serving 2 small specialist firms would not.

Substitutability — how easily financial entities could substitute the provider with alternatives. A provider offering commodity services with many substitutes is less likely to be designated; a provider offering specialised services with few substitutes (e.g., specialised payment-infrastructure) more likely.

Criticality of services — the substantive role of provider services in financial-entity operations. Core operational infrastructure (cloud computing, payment processing) higher priority than non-core services (marketing analytics, office productivity).

Geographic concentration — providers concentrated in particular EU regions or jurisdictions create geographic-concentration risk for financial entities. Single-region cloud providers may face different designation calculus than multi-region providers.

Number of financial-entity users — substantive financial-entity user base across the EU is a substantial designation driver. Multiple users across sectors more likely to trigger designation than concentrated user base in single sector.

Likely CTPP categories

Based on the designation criteria, likely CTPP categories include:

Major cloud providers — AWS, Microsoft Azure, Google Cloud Platform. Substantive financial-entity user base across banks, insurers, investment firms, CASPs. Limited substitutability for specialised cloud-native architectures.

Specialised financial-services SaaS — providers of core banking platforms, AML/KYC infrastructure, market-data platforms, regulatory-reporting infrastructure. Higher substitutability than cloud providers but substantive financial-entity concentration.

Payment-infrastructure providers — SWIFT, major card-payment networks, specialised payment-services providers serving substantive financial-entity user base.

Specialised crypto-infrastructure providers — for CASPs specifically, providers of crypto-custody infrastructure (Fireblocks, BitGo, similar), blockchain-analytics providers (Chainalysis, Elliptic, TRM Labs), specialised crypto-trading infrastructure. CTPP designation in this category will depend on substantive financial-entity user base across the EU.

The first CTPP designations went operational late 2025. Initial designations focused on major cloud providers; subsequent designations through 2026 expanding to specialised financial-services providers.

CASP implications of using designated CTPPs

For CASPs using designated CTPPs, substantive implications:

Governance documentation — CTPP usage requires substantive governance documentation: relationship rationale, risk-management framework, performance-monitoring infrastructure, escalation procedures. Documentation expectations heightened beyond standard ICT-provider relationships.

Concentration monitoring — DORA concentration-monitoring obligations apply substantively. CASPs heavily concentrated on a single CTPP face supervisory engagement on concentration risk. Substantive substitutability analysis required.

Article 30 contractual arrangements — DORA Article 30 substantive contractual requirements apply. Standard CTPP contracts often inadequate; substantive contract addenda or specialised financial-services contracts required.

Ongoing CTPP compliance monitoring — CASPs need substantive infrastructure monitoring CTPP compliance with DORA Oversight Framework requirements. Provider compliance issues can affect financial-entity operational continuity and supervisory standing.

Business-continuity infrastructure — substantive exit-strategy and contingency-arrangement documentation for CTPP relationships. CASPs without realistic exit strategies face supervisory engagement on inadequate operational resilience.

Article 30 contractual requirements — the operational reality

DORA Article 30 establishes substantive contractual requirements between financial entities and ICT third-party providers. For CTPP relationships, the requirements apply with heightened expectations:

Audit rights — financial entity right to audit ICT provider operations, either directly or through Lead Overseer coordination. Standard cloud-provider contracts often have audit-rights limitations that fail Article 30 substantive requirements.

Exit strategy — documented exit strategy enabling financial entity to transition away from the provider with substantive operational continuity. Vague exit clauses fail substantive review.

Sub-contracting controls — financial entity visibility into ICT provider sub-contracting arrangements, with rights to object to material sub-contractors.

Performance obligations — substantive service-level agreements with measurable performance metrics and remediation procedures for failures.

Business-continuity arrangements — substantive infrastructure and procedures ensuring continuity of services through provider operational disruption.

Data location and access — substantive arrangements regarding data location, regulatory-access rights, cross-border data transfer compliance.

Termination provisions — substantive termination rights including for provider regulatory failures, with operational arrangements supporting orderly termination.

Standard cloud-provider contracts (AWS Customer Agreement, Azure Online Services Terms, GCP Terms of Service) lack Article 30-compliant provisions. CASPs using these providers need substantive financial-services-specific contracts or substantial addenda.

The major cloud providers have developed financial-services-specific contract frameworks (AWS Financial Services, Azure Financial Services Compliance Framework, GCP Financial Services Solutions) addressing Article 30 requirements. CASPs should negotiate into these frameworks rather than relying on standard terms.

Concentration management

DORA concentration-monitoring obligations apply substantively to CTPP relationships. CASPs need substantive analysis covering:

Single-provider concentration — substantive analysis of dependence on any single ICT provider. CASPs concentrated on a single CTPP face supervisory engagement.

Single-service concentration — concentration on a single type of service from a particular provider, even where the provider isn’t itself dominant.

Geographic concentration — concentration of ICT services in particular geographic regions creating substantive resilience risk.

Substitutability assessment — substantive analysis of how easily the CASP could substitute the CTPP with alternative providers in case of substantive disruption.

Contingency arrangements — substantive infrastructure supporting substitution if needed. Active arrangements with alternative providers, regular testing of substitution capability.

CASPs without substantive concentration-management infrastructure face supervisory engagement and potential Article 109 sanctions for inadequate DORA compliance.

Operational implementation for CASPs

For CASPs reviewing CTPP-related obligations:

Phase 1 — Inventory (4-6 weeks): identify all ICT providers, classify by criticality, identify which are designated CTPPs (check ESAs register) or likely CTPP candidates.

Phase 2 — Governance documentation (6-12 weeks): substantive governance documentation for CTPP relationships including relationship rationale, risk-management framework, performance monitoring.

Phase 3 — Contract review (12-24 weeks): review all CTPP contracts for Article 30 compliance, negotiate addenda or substitute contracts where necessary.

Phase 4 — Concentration analysis (4-6 weeks): substantive concentration analysis with documented conclusions and remediation actions where concentration is excessive.

Phase 5 — Monitoring infrastructure (6-12 weeks): substantive infrastructure monitoring CTPP performance and DORA compliance, escalation procedures.

Phase 6 — Annual review (ongoing): substantive annual review of CTPP relationships including concentration analysis, contractual compliance, performance metrics.

Realistic total: 6-12 months for substantive initial implementation, with ongoing infrastructure thereafter. The build is substantive but the alternative — supervisory engagement under DORA enforcement — is more costly.

The framework’s broader strategic impact

CTPP framework has substantive strategic implications for EU financial-services ICT architecture:

Cloud-provider negotiation dynamics — financial-entity negotiation position with major cloud providers improved by CTPP designation. Substantive contract terms more achievable than pre-DORA.

EU sovereignty considerations — CTPP framework supports EU strategic-autonomy objectives in financial-services infrastructure. Pressure on financial entities to ensure substantive EU-based contingency capability.

Specialised provider landscape — emergence of specialised EU-based financial-services ICT providers as substantive alternatives to global cloud providers, supported by CTPP framework dynamics.

Cost implications — substantive compliance investment increases ICT-relationship management costs. Marginally affects ICT-provider economics across the financial-services industry.

For CASPs, CTPP framework is one of the substantive ongoing operational obligations under DORA. The framework will continue evolving through 2026-2028 as initial implementation experience identifies framework refinements. Operators with substantive infrastructure are well-positioned; operators that defer engagement face supervisory engagement and operational disruption.