Critical ICT Third-Party Provider (CTPP)

Also: DORA CTPP, Lead Overseer-supervised provider

ICT third-party provider designated critical by the European Commission under DORA Art. 31, falling under direct supervision of one of the three European Supervisory Authorities (EBA, EIOPA, ESMA). First CTPP designations expected in 2025/2026.

Designation criteria under DORA Art. 31 and Delegated Regulation (EU) 2024/1502: systemic importance in the EU financial sector, number of financial entities served, substitutability, critical functions, interconnectivity. AWS, Microsoft Azure, Google Cloud, Oracle, IBM, SAP, Salesforce are likely candidates.

Consequences of CTPP designation: direct supervision by a Lead Overseer (one of the three ESAs), on-site inspection powers, sanctioning powers, ability to order risk-mitigation measures. CTPPs pay supervisory fees. Fines up to 1 percent of average daily worldwide turnover per day of continued breach.

Consequences for financial entities as customers: contracts with CTPPs are subject to stricter requirements. Information demands grow because the Lead Overseer can also inspect at the financial entity. CTPP relationships must be flagged separately in the information register.

Critical ICT Third-Party Provider (CTPP)

Related terms