Skip to main content
DORA Auditor

Critical ICT Third-Party Provider (CTPP)

Last updated: 1 authoritative sourceDORA Auditor Editorial Team

A critical ICT third-party provider is an ICT provider designated by the European Supervisory Authorities as systemically important to the EU financial sector. Under DORA, CTPPs are subject to a direct EU oversight framework, distinct from the obligations placed on the financial entities that use them.

Detailed explanation

Designation as critical is based on criteria such as the systemic impact of a failure, the systemic importance of the financial entities served, the degree of substitutability, and interconnectedness. Once designated, a CTPP is assigned a Lead Overseer (one of the ESAs) with powers to request information, conduct investigations and inspections, issue recommendations, and levy periodic penalty payments for non-compliance. The framework is intended to address concentration risk from a small number of large providers, particularly hyperscale cloud vendors, on which much of the financial sector depends.

In context

This term relates to the ICT Third-Party Risk pillar and is grounded in DORA Article 31.

Related terms

Sources

  1. DORA Articles 31–44, EUR-Lex