DORA’s list lands as scrutiny of critical ICT third-party providers begins
Following on almost a year since it came into force in January 2025, this month the Digital Operational Resilience Act (DORA) supervision framework reached a new milestone.
The European Insurance and Occupational Pensions Authority (EIOPA), together with the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA) (collectively the ESAs), published the first official list of designated critical ICT third-party providers (CTPPs).
The ESAs reached these designations following a structured process: data collection from national registers, an assessment of criticality (including systemic role, substitutability and support of essential functions), and a final round of notifications and hearings. The result marks a major step in expanding oversight of digital resilience across a financial sector increasingly dependent on technology providers for infrastructure, data and operational continuity.
What’s next for DORA? A long-running question is nearing a decision point: should auditors fall within the scope of the Regulation? Under Article 58(3), the European Commission must conclude its review by January 2026. A recent Accountancy Europe blog resurfaced their earlier, detailed comment letter, arguing firmly against inclusion. Auditors, they note, do not run transactional systems, do not handle real-time financial flows, and are not gateways to clients’ ICT environments. Their digital resilience obligations are already governed by the Audit Directive and ISQM 1, which include strict requirements for business continuity, incident reporting and quality management. Bringing auditors into DORA, they warn, would duplicate rules, increase costs, and risk misalignment, contrary to the EU’s push for simplification and proportionality.
Taken together, the designation of CTPPs and the emerging debate on auditors signal a shift from building DORA to refining it. Oversight is tightening where systemic risk is highest, while policymakers assess where boundaries should lie. As these strands converge, the focus will increasingly turn to operations. Will CTPP oversight alter the resilience of these technology shops, or is cyber security, operational resilience and relevant fall back procedures the core of their business in any event? Hopefully DORA will support a resilient, data-driven financial system. {Ed: Apropos of nothing at all… not on the list? Cloudflare}
For those interested in diving deeper, you can view the full list of designated providers here, and read Accountancy Europe’s recent blog and original consultation.
