DORA for Critical ICT Third-Party Providers
Critical ICT third-party providers (CTPPs) are the systemic cloud, software and infrastructure firms designated under Article 31. Uniquely under DORA, they are subject to a direct EU oversight framework (Articles 31–44), led by a Lead Overseer with powers to examine, recommend, and levy penalties.
How designation works
The European Supervisory Authorities designate CTPPs based on criteria such as the systemic impact of a failure, the systemic importance of the financial entities relying on them, and the degree of substitutability. Designation is not about company size alone but about concentration and concentration risk in the financial system.
What oversight involves
- A designated Lead Overseer (one of the ESAs) coordinates supervision.
- Powers to request information, conduct inspections, and issue recommendations.
- Periodic penalty payments of up to 1% of average daily worldwide turnover to compel compliance.
Preparing for the framework
Prospective CTPPs should map their EU financial-sector footprint, formalise resilience and sub-outsourcing controls, and align with the oversight framework expectations. See DORA penalties for enforcement detail.
Frequently asked questions
Who decides which providers are critical?
The European Supervisory Authorities (ESAs) designate critical ICT third-party providers under Article 31, based on systemic-importance criteria.
What is a Lead Overseer?
The ESA appointed to lead oversight of a given critical provider, coordinating supervision, inspections, and recommendations across the EU.
Can critical providers be fined?
Yes. The Lead Overseer can impose periodic penalty payments of up to 1% of the provider's average daily worldwide turnover to compel compliance.