Critical ICT Third-Party Service Provider

A critical ICT third-party service provider (Critical Third-Party Provider, CTPP) is an ICT provider that has been designated by the EU financial supervisory authorities as systemically important. Under DORA, critical ICT third-party service providers are subject to direct EU oversight by the European Supervisory Authorities (ESAs).

Back to Dictionary

Table of Contents

    What is a critical ICT third-party service provider?

    A critical ICT third-party service provider is a company that provides ICT services to many financial entities in the EU and whose failure or disruption would have systemic consequences for the European financial sector. Think of major cloud providers such as AWS, Microsoft Azure and Google Cloud, or large data and analytics providers serving the financial sector.

    DORA introduces a new EU oversight regime that gives the ESAs (EBA, ESMA, EIOPA) direct supervisory powers over these critical providers -- something that did not exist previously.

    Designation criteria

    The ESAs designate critical ICT third-party service providers based on criteria such as:

    • Systemic impact: The systemic potential that a failure at the provider would have for financial stability.
    • Number and type of users: The number and type of financial entities that use the provider.
    • Market share: The provider's market share for specific services to the financial sector.
    • Dependency on critical functions: The degree to which financial entities depend on the provider for critical financial functions.
    • Substitutability: The degree to which the provider can be replaced by alternative providers.

    Direct EU oversight

    Designated critical ICT third-party service providers are subject to direct oversight from the Lead Overseer, which is one of the ESAs. The oversight includes:

    • A requirement to establish a representative office in the EU (if the provider is established outside the EU)
    • Ongoing monitoring and reporting requirements
    • The right to conduct inspections and request documentation
    • The power to issue recommendations and requests for remediation
    • The ability to require compliance with DORA's requirements for the sector


    Not a direct client requirement:     A financial entity does not need to take specific action simply because one of its providers is designated as critical. The designation is directed at the provider. However, financial entities should continuously monitor the supervisory status of their critical providers and factor this into their third-party risk management.

    Frequently Asked Questions about Critical ICT Third-Party Service Provider

    What is a critical ICT third-party service provider under DORA?

    It is an ICT provider designated by the EU financial supervisory authorities (ESAs) as systemically important under DORA. These providers are subject to direct EU oversight because their failure could have systemic consequences for the financial sector.

    Which companies are likely to be designated as critical ICT providers?

    The ESAs publish the list of designated providers. Major cloud providers such as Amazon Web Services, Microsoft Azure, Google Cloud and IBM Cloud are expected to be designated, as well as potentially large data and payment infrastructure providers.

    What powers does the Lead Overseer have?

    The Lead Overseer can conduct inspections, request documentation, issue recommendations and requests for remediation, and require compliance with DORA's requirements. Non-EU providers must establish a representative office in the EU.

    Does a financial entity need to act if its provider is designated as critical?

    The designation is directed at the provider, not the financial entity. However, financial entities should monitor their providers' supervisory status and incorporate this into their third-party risk management processes.

    How does the DORA oversight framework differ from NIS2 supervision?

    DORA's oversight framework is specifically designed for ICT providers serving the financial sector and involves direct EU-level supervision by the ESAs. NIS2 supervision is conducted by national authorities and applies more broadly across sectors.

    +400 companies use .legal
    Region Sjælland
    Aarhus Universitet
    aj_vaccines_logo
    Realdania
    Right People
    IO Gates
    PLO
    Finans Danmark
    geia-food
    Vestforbrænding
    Evida
    Klasselotteriet
    NRGI1
    BLUE WATER SHIPPING
    Karnov
    Ingvard Christensen
    VP Securities
    AH Industries
    Lægeforeningen
    InMobile
    AK Nygart
    ARP Hansen
    DEIF
    DMJX
    Axel logo
    qUINT Logo
    KAUFMANN (1)
    SMILfonden-logo
    kurhotel_skodsborg
    nemlig.com
    Molecule Consultancy
    Novicell
    Footer topswirl

    Info

    .legal A/S

    hello@dotlegal.com
    +45 7027 0127

    VAT-no: DK40888888

    Support

    support@dotlegal.com
    +45 7027 0127
    Need help?

     

    Office

    Aarhus

    Store Torv 14, 2.
    8000 Aarhus C

    We care about safety

    Download our declarations

    ISAE 3000

    ISAE 3402

    Modules

    Let me help you get started

    joa i blob
    Reach out to me on phone
    +45 7027 0127 and I'll get you started
    arrow-right-white Get a demo

    .legal is not a law firm and is therefore not under the supervision of the Bar Council.

    Footer bottomswirl