EU designates 19 critical tech providers under DORA

European regulators have formally identified 19 technology firms as “critical” providers to the financial sector under the EU’s Digital Operational Resilience Act (DORA), placing the world’s largest cloud and data providers under direct supervisory scrutiny for the first time.

The designation, announced by the European Supervisory Authorities (ESAs), marks a significant expansion of the EU’s efforts to curb systemic risk stemming from the financial system’s deep dependence on a small cluster of technology companies.

The list includes the European operations of Amazon Web Services, Google Cloud and Microsoft — long viewed as essential infrastructure for banks, insurers and market operators — alongside IBM, the London Stock Exchange Group, Bloomberg, Orange and Tata Consultancy Services.

Under DORA, which came into force in January 2025, regulators gain new powers to assess the resilience of technology providers whose services are deemed indispensable to the functioning of financial institutions across the bloc.

 How the EU assessed which firms are “critical”

The ESAs said that the designations followed a detailed methodology set out in DORA.

Regulators first gathered data from financial firms’ ICT outsourcing registers, mapping which providers support critical or important business functions.

National regulators then conducted a joint “criticality assessment” with EU-level authorities, applying criteria ranging from a provider’s systemic importance to the substitutability of its services.

Each firm identified as potentially critical was invited to submit a reasoned response before final decisions were taken.

The ESAs said the final list reflects a “complete evaluation” of the risks these companies pose to the stability and continuity of financial operations in Europe.

What the new oversight means

Being designated a critical ICT provider subjects firms to ongoing EU-level supervision.

Regulators will engage directly with each company to determine whether their governance, risk controls and operational resilience frameworks are sufficient to prevent disruptions that could cascade across the financial system.

The aim, the ESAs said, is to strengthen the management of ICT risk and mitigate vulnerabilities that could undermine operational continuity.

The move comes amid growing concern in Brussels and Frankfurt that European financial institutions rely heavily on a handful of overseas cloud and data service providers.

The European Central Bank recently warned that geopolitical tensions and technology shocks pose material risks to banks’ resilience.

The UK, meanwhile, is preparing its own parallel oversight regime, with designations expected next year.

Public responses from the newly listed companies have been muted but broadly supportive. LSEG and Google Cloud said they welcomed the designation, while Microsoft pledged full compliance with European cybersecurity requirements.

AWS noted it had anticipated the move and would continue close engagement with regulators.

As the EU embeds DORA into day-to-day supervisory practice, the designation of these 19 firms marks a critical early step in reshaping the balance of responsibility for the digital backbone of Europe’s financial system.