European regulators have taken a major step toward tightening oversight of the technology infrastructure underpinning the financial system, publishing a list of 19 critical information and communications technology providers that will fall under direct supervision through the Digital Operational Resilience Act. 

The announcement, released on November 18, identifies cloud platforms, data centre operators, network firms and specialist financial technology suppliers judged to be systemically important to banks, insurers and securities firms.

The European Supervisory Authorities said the designations were based on a methodology defined within the regulation, focusing on four criteria. 

These included the potential systemic impact of a large scale outage at a provider, the importance of financial institutions reliant on the service, the concentration of that reliance across the banking, insurance and pensions, and markets sectors, and the ease or difficulty of substituting the provider’s services.

The designations were informed by data gathered from national supervisors. Financial institutions are required to register ICT providers that support critical or important functions, giving regulators insight into sector wide dependencies. 

Providers identified as potentially critical were notified and allowed to respond before final decisions were made.

Under DORA, the newly designated critical providers will face direct oversight from the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Markets Authority. 

The regulators will assess risk management frameworks, governance structures, incident reporting capabilities, subcontracting arrangements and ICT security practices.

Each designated provider must appoint a legal entity, ideally an EU subsidiary with adequate resources, to act as a coordination point for supervisory engagement. They will also be required to pay annual oversight fees to their assigned authority.

If regulators identify deficiencies, they may issue remediation recommendations. Providers that fail to comply must justify their position. 

In extreme cases, regulators may publicly disclose noncompliance or require financial institutions to suspend or terminate use of the provider’s services.

For banks, insurers and investment firms, the designation of a technology partner brings both advantages and challenges. 

On one side, providers subject to direct regulatory scrutiny may offer greater assurance about the robustness of their controls. The new regime clarifies that operational resilience is not solely the responsibility of financial institutions but also of the vendors that support them.

However, designated providers may also seek to align their contractual obligations with their new supervisory requirements. 

Financial institutions may find that oversight standards are folded into vendor contracts, with providers arguing that regulatory examination should offer some comfort to customers about risk management expectations.

The list published by the European Supervisory Authorities illustrates what regulators consider systemically important, covering managed service providers and firms offering sector specific technology. 

Observers noted that some widely used vendors were not included, despite appearing to meet the designation criteria. 

Recent global outages, including incidents occurring on the day of the announcement, demonstrate the scale of interconnected dependencies across the ICT ecosystem.

The regulation also acknowledges the influence of fourth party providers. While these firms are not designated directly, their oversight may tighten indirectly through assessments of subcontracting arrangements within the critical providers’ supply chains.

The list of critical ICT providers will be updated annually, signalling continuing regulatory focus on digital operational resilience as financial institutions deepen their reliance on external technology partners.