Critical ICT Third-Party Provider (CTPP)
A critical ICT third-party provider is an ICT provider designated by the European Supervisory Authorities as systemically important to the EU financial sector. Under DORA, CTPPs are subject to a direct EU oversight framework, distinct from the obligations placed on the financial entities that use them.
Detailed explanation
Designation as critical is based on criteria such as the systemic impact of a failure, the systemic importance of the financial entities served, the degree of substitutability, and interconnectedness. Once designated, a CTPP is assigned a Lead Overseer (one of the ESAs) with powers to request information, conduct investigations and inspections, issue recommendations, and levy periodic penalty payments for non-compliance. The framework is intended to address concentration risk from a small number of large providers, particularly hyperscale cloud vendors, on which much of the financial sector depends.
In context
This term relates to the ICT Third-Party Risk pillar and is grounded in DORA Article 31.