The European Supervisory Authorities (ESAs), EBA, EIOPA, and ESMA, are now empowered to designate certain cloud, data, and technology providers as CTPPs based on systemic importance, concentration of reliance, and substitutability of services. For firms that fall within the designation criteria, the implications are significant and immediate.
Designation as a CTPP triggers a new level of regulatory scrutiny. The ESAs will assign a Lead Overseer to each designated provider, responsible for conducting annual risk assessments, developing oversight plans, and issuing recommendations. These providers must be prepared for regular data requests, inspections, and ongoing engagement with regulators. The designation process itself is driven by Registers of Information submitted by financial entities and assessed using both quantitative and qualitative metrics.
For boards and senior executives, the message is clear: DORA is not just an IT issue. It is a strategic imperative that demands board-level accountability and cross-functional coordination. Governance structures must be updated to define roles, responsibilities, and escalation paths for DORA compliance. A dedicated DORA Champion should be appointed to lead regulatory engagement and ensure that the organisation is regulator ready.
Operational resilience is a cornerstone of DORA. CTPPs must maintain robust cybersecurity, incident response, and business continuity plans. These must be regularly tested through scenario-based exercises, with results documented and remediation actions tracked. Inspection readiness is no longer optional: firms should prepare centralised documentation and response playbooks to support intrusive ESA inspections.
Third-party risk management also comes under the spotlight. CTPPs must maintain comprehensive registers of ICT providers and ensure that contracts include audit rights, service level agreements, and exit clauses. For non-EU providers, establishing a legal presence within the EU within 12 months of designation is mandatory. Subcontracting arrangements must be monitored closely, with any material changes promptly reported to the ESAs.
Transparency and data access are critical. Providers must maintain live inventories of services, systems, and subcontractors, and establish processes to deliver accurate, timely data to regulators. This includes data required for oversight fee calculations, which designated CTPPs are now obligated to pay annually. Budgeting and tracking these fees should be integrated into financial planning cycles.
The oversight regime does not end with designation. ESAs will issue non-binding recommendations with 30-day response windows and may publicly disclose non-compliance. To mitigate reputational and regulatory risk, firms must implement robust compliance monitoring and remediation tracking mechanisms. Regular staff training on DORA obligations is essential to embed awareness and ensure consistent execution.
The timeline is tight. With the regulation already in force and supervisory frameworks advancing, CTPPs must act now to assess their designation risk and begin implementing the necessary controls. This includes evaluating systemic impact, concentration risk, and service substitutability. Early engagement with ESAs and proactive preparation will be critical to navigating the designation process and meeting oversight expectations.
Delta Capita is already supporting CTPPs across the EU and UK to prepare for DORA. Our teams help design governance frameworks, establish DORA steering committees, and implement escalation protocols. We provide experienced DORA Champions to manage regulatory engagement, facilitate resilience testing, and build live service registers. Our contract specialists ensure ICT agreements meet DORA standards, while our regulatory experts guide clients through oversight planning, fee management, and compliance monitoring.
To find out about how we can support you, contact us and speak directly to one of our experts.
.jpg)
.jpg)
