European Union regulators have designated 19 technology firms as critical third‑party computing providers to the bloc’s financial sector under the Digital Operational Resilience Act (DORA), bringing them under direct supervisory oversight.

A press release on the European Securities and Markets Authority’s website said the European Banking Authority, the European Insurance and Occupational Pensions Authority, and ESMA have named the European arms of Amazon Web Services, Bloomberg, Google Cloud, IBM, London Stock Exchange Group, Microsoft, Orange and Tata Consultancy Services among those subject to the new regime. The list of designated critical ICT third‑party providers is accessible via ESMA.

DORA, which began applying in January 2025, allows the EU‑level regulators to identify providers whose services are considered systemically important to the financial sector and to examine their governance, risk management and resilience. The ESAs said the designation followed a methodology set in law, starting with data collected from financial entities’ registers of information on ICT contracts, followed by a “detailed criticality assessment” with national competent authorities in banking, insurance and pensions, and securities and markets.

“The assessment was carried out in line with the multifaceted criteria set out in DORA, which required a complete evaluation of a provider’s systemic importance, its role in supporting critical or important functions for financial entities, and the level of substitutability of its services,” the ESAs said, adding that providers assessed as critical were formally notified and “benefitted from their right to be heard by providing a reasoned statement.” Final decisions were adopted after “a careful review of all relevant information,” they said.

The regulators said they will engage directly with the designated companies to assess whether they have appropriate frameworks “to ensure the resilience of the services they deliver to financial entities,” aiming to mitigate risks that could affect operational continuity. “The objective of the DORA oversight framework… is to promote the sound management of ICT risk by the critical providers,” the ESAs said.

Companies responded publicly to the move. A spokesperson for London Stock Exchange Group said they welcomed the designation, while Google Cloud said the same on its website. A Microsoft spokesperson said the company was “committed to complying with Europe’s cybersecurity and resilience laws.” An Amazon Web Services spokesperson said AWS had been preparing for the designation and would continue engaging with authorities.

European officials have flagged risks tied to technology reliance this year, with the European Central Bank citing “geopolitical tensions and technological disruptions” as challenges for banks. The UK has created a similar regime, with designations expected next year.

---