Skip to main content
FORTISEU
Back to Blog
DORA22 November 202510 min readAttila Bognar

DORA CTPP Designation (November 2025): Concentration Risk and Exit Readiness

The ESAs designated critical ICT third-party providers under DORA in November 2025. This article explains what changes for financial entities and ICT dependency strategy.

DORA CTPP Designation (November 2025): Concentration Risk and Exit Readiness featured visual
DORACTPPThird-party riskConcentration riskExit strategy

November 2025 made concentration risk impossible to ignore. When the European Supervisory Authorities published the first designation of Critical Third-Party Providers (CTPPs) under DORA Articles 31-44, an abstract governance concept became a named dependency problem with specific supervisory consequences. Financial entities that relied on traditional bilateral vendor management — evaluating each provider in isolation — discovered that their entire third-party risk model needs structural revision.

The CTPP designation is not a blacklist. It is not a ban. It is a recognition that certain ICT third-party providers are so deeply embedded in the European financial system that their failure or disruption would create systemic risk. For financial entities using designated CTPPs, the implications are immediate and operational: enhanced oversight obligations, concentration risk assessment requirements, and — most uncomfortably — credible exit planning for services that many assumed were permanent infrastructure.

Understanding the CTPP Designation Framework

DORA Art. 31 establishes the criteria the ESAs use to designate CTPPs. The Joint Committee of the ESAs assesses ICT third-party service providers based on several factors:

Systemic impact of disruption. The degree to which a failure or operational disruption of the ICT third-party service provider would affect the provision of financial services. This is measured not by the provider's revenue or market share, but by the breadth and depth of financial entity dependency.

Substitutability. The degree to which the ICT third-party service provider is easily substitutable, considering the availability of alternatives, the complexity of migration, and the cost and time required for transition. Providers with limited alternatives score higher on this criterion.

Number and significance of financial entities served. This includes both direct contractual relationships and sub-outsourcing arrangements where the CTPP provides services to other ICT providers that in turn serve financial entities. The full dependency chain matters, not just direct contracts.

Degree of reliance by financial entities on the services. A provider that supplies commodity infrastructure is different from one that supplies core processing capability. The criticality of the service to the financial entity's operations weighs heavily in designation.

The designation process is deliberative. The Joint Committee publishes a list of designated CTPPs, and those providers are subject to an oversight framework administered by a designated Lead Overseer from among the ESAs (EBA, ESMA, or EIOPA). The Lead Overseer has inspection powers, can issue recommendations, and — crucially — can ultimately require financial entities to suspend or terminate arrangements if the CTPP does not address identified risks.

What CTPP Designation Means for Financial Entities

If your organization uses a designated CTPP, several obligations and operational imperatives follow.

Enhanced Contractual Requirements

DORA Art. 28 establishes baseline contractual requirements for all ICT third-party service arrangements. For arrangements with CTPPs, these requirements carry heightened supervisory scrutiny. Your contracts with designated CTPPs must include clear service level descriptions, data processing and storage locations, provisions for accessibility and availability, audit and inspection rights, cooperation obligations during supervisory examinations, and — under Art. 28(8) — exit strategies.

Supervisors will examine these contracts not as standalone documents but as components of your overall ICT risk management framework. A contract that technically satisfies Art. 28 requirements but does not provide operationally meaningful audit rights or realistic exit provisions will draw findings.

Concentration Risk Assessment

DORA Art. 29 requires financial entities to assess and manage concentration risk arising from ICT third-party dependencies. With CTPPs now explicitly identified, this assessment must specifically address: how many of your critical or important functions depend on each designated CTPP? What is the aggregate business impact if a designated CTPP experiences extended disruption? Do you have concentration across multiple critical functions with a single CTPP?

The concentration risk assessment is not a one-time exercise. It must be maintained as your ICT service arrangements evolve and as the CTPP list is updated. FortisEU's vendor risk management module maps dependency topology across your provider portfolio, automatically identifying concentration clusters and calculating aggregate exposure.

Sub-Outsourcing Chain Visibility

Concentration risk is not limited to your direct providers. A designated CTPP may provide services to an ICT provider you contract with directly, creating indirect dependency that is equally problematic from a systemic risk perspective. Your register of information under Art. 28(3) must capture these sub-outsourcing chains, and your concentration risk assessment must account for indirect as well as direct CTPP dependency.

This is where many organizations discover gaps. Your direct provider tells you they use a particular cloud platform for infrastructure. That cloud platform is a designated CTPP. Your concentration risk to that CTPP is real, even though you have no direct contractual relationship with them. Mapping these indirect dependencies requires active engagement with your direct providers and, increasingly, automated supply chain visibility tools.

The Exit Strategy Imperative

DORA Art. 28(8) requires financial entities to ensure that contractual arrangements with ICT third-party service providers can be terminated without: disruption to business activities, limiting compliance with regulatory requirements, or detriment to the continuity and quality of services provided to clients.

For designated CTPPs, this exit strategy requirement moves from theoretical to operational. If the Lead Overseer identifies unacceptable risks at a CTPP and ultimately requires financial entities to suspend or terminate arrangements, your organization must be able to execute that exit. Not plan it — execute it.

Credible exit strategies for CTPP-dependent services require:

Technical feasibility assessment. Can the service actually be migrated to an alternative provider? What are the technical dependencies, data portability constraints, and integration complexities? For services deeply embedded in your operating architecture — core banking platforms, payment processing infrastructure, market data feeds — technical migration may require months or years of preparation.

Alternative provider identification. Who are the viable alternatives? Have they been assessed against your security, resilience, and regulatory requirements? Are they themselves CTPPs (which would create concentration risk in a different direction)? Maintaining a pre-qualified shortlist of alternative providers is a practical necessity.

Transition planning. What is the migration sequence? What are the milestones, resource requirements, and risk mitigation measures? What parallel-run period is needed to validate the alternative before decommissioning the CTPP service? A credible transition plan should be specific enough to execute, not generic enough to satisfy a checkbox.

Cost and timeline estimation. Exit is expensive. Migration projects for critical infrastructure services routinely cost millions of euros and take 12-24 months. Your exit strategy must include realistic cost and timeline estimates that have been validated by technical teams, not assumed by governance teams.

Regular testing. An exit strategy that has never been tested is a document, not a plan. At minimum, organizations should conduct tabletop exercises that walk through the exit scenario, identify decision points and dependencies, and surface assumptions that may not hold under stress. For the most critical CTPP dependencies, technical proof-of-concept migrations to alternative providers may be warranted.

Enterprise Dependency Topology

The CTPP designation forces a shift in how financial entities think about their ICT third-party relationships. The traditional model — bilateral assessments of individual providers — is insufficient. What is needed is an enterprise dependency topology: a map that shows how providers connect, where dependencies cluster, and what fails together.

Building this topology requires:

Function-to-provider mapping. For each critical or important function (as defined under DORA Art. 3(22)), identify all ICT providers that support it — directly and through sub-outsourcing chains. This creates a matrix where rows are functions and columns are providers, with cells indicating the nature and criticality of each dependency.

Failure correlation analysis. Identify which functions would be simultaneously affected by a single provider disruption. Two functions that independently depend on the same CTPP are correlated in their failure modes, even if they appear independent in your organizational structure. This correlation is invisible in bilateral assessments but critical for concentration risk management.

Cascade modeling. When a CTPP experiences disruption, what second-order effects occur? If your direct provider loses their infrastructure provider (a CTPP), your service is affected even though your direct provider has not "failed." Cascade modeling maps these propagation paths and estimates the aggregate business impact.

FortisEU's risk management capabilities support this topology modeling, allowing risk managers to visualize dependency clusters, simulate disruption scenarios, and quantify concentration exposure in financial terms that support board-level decision-making.

Supervisory Expectations in Practice

Based on early supervisory engagement patterns since DORA's go-live, regulators are asking specific questions about CTPP-related risk management:

"Show me your concentration risk assessment for designated CTPPs." This is a direct test of Art. 29 compliance. The assessment must be current, quantified, and connected to your register of information.

"What is your exit strategy for [specific CTPP]?" Supervisors select a CTPP from your register and ask for the exit plan. They evaluate feasibility, not just existence. A two-page document that says "we would migrate to an alternative provider" is insufficient. They want timelines, cost estimates, technical feasibility analysis, and evidence of testing.

"How do you monitor CTPP risk between assessment cycles?" Periodic annual assessments are not sufficient for CTPP-level dependencies. Supervisors expect continuous or near-continuous monitoring of CTPP risk indicators: service performance, incident notifications, financial stability, regulatory actions, and contractual compliance.

"How does CTPP risk feed into your management body reporting?" Art. 5(2) requires the management body to bear ultimate responsibility for ICT risk management. Supervisors verify that CTPP concentration risk is visible at the management body level and that documented decisions about risk acceptance or mitigation exist.

Practical Steps for This Quarter

For financial entities processing the implications of the November 2025 CTPP designation, the following actions should be completed within the current quarter:

Re-tier your provider portfolio. Using the published CTPP list, re-assess the criticality of all ICT third-party arrangements. Arrangements involving CTPPs should be elevated in your oversight hierarchy regardless of their previous tier. Update your register of information accordingly.

Validate exit strategy feasibility. For each CTPP-dependent service, assess whether your current exit strategy is technically feasible and operationally realistic. If exit strategies do not exist or consist of generic statements, commission detailed exit planning from technical teams.

Map indirect CTPP dependencies. Query your direct providers about their use of designated CTPPs. Update your register of information and concentration risk assessment to reflect indirect dependencies through sub-outsourcing chains.

Establish CTPP monitoring cadence. Implement continuous or monthly monitoring for designated CTPPs. Track service performance, incident notifications, regulatory actions, and any changes to the services provided. Do not rely on annual assessment cycles for dependencies of this magnitude.

Brief the management body. Present the CTPP designation and its implications to the management body. Include the updated concentration risk assessment, exit strategy status, and recommended actions. Document the management body's engagement and any decisions in meeting minutes — supervisors will request these.

Review contractual provisions. Examine contracts with designated CTPPs against Art. 28 requirements. Identify gaps in audit rights, incident notification, sub-outsourcing transparency, and exit provisions. Plan contract renegotiation where gaps exist.

The Strategic Dimension

Beyond compliance, the CTPP designation creates strategic questions for financial entities. Over-reliance on a small number of dominant ICT providers limits strategic flexibility, creates pricing dependency, and concentrates innovation risk. Organizations that invest now in multi-provider architectures, portable data formats, and abstracted integration layers will be better positioned — not just for regulatory compliance, but for operational resilience and competitive agility.

The cost of this investment is real. Multi-provider architectures are more complex to operate. Abstraction layers add engineering overhead. Maintaining alternative provider relationships when you may never activate them is a carrying cost with uncertain return. But the alternative — total dependency on a single provider whose regulatory status you do not control — is a strategic risk that boards must consciously accept or actively mitigate.

Key Takeaways

  • CTPP designation transforms concentration risk from abstract to named. Financial entities must now specifically address their dependency on designated CTPPs in concentration risk assessments, exit strategies, and management body reporting.

  • Exit strategies must be operationally credible, not just documented. Supervisors evaluate feasibility: technical migration paths, alternative provider identification, cost and timeline estimates, and evidence of testing. Generic exit statements will draw findings.

  • Indirect dependencies are as significant as direct ones. Sub-outsourcing chains that include CTPPs create concentration risk that must be captured in your register of information and risk assessments. Map the full dependency topology, not just your direct contracts.

  • Continuous monitoring replaces annual assessment for CTPPs. Monthly or continuous monitoring of CTPP risk indicators — service performance, incidents, regulatory actions — is the supervisory expectation for dependencies of this magnitude.

  • Concentration risk is a strategic question, not just a compliance question. Boards should evaluate CTPP dependency not only through a regulatory lens but through a strategic lens: does this dependency limit our operational resilience, pricing leverage, and innovation flexibility?

Next Step

Turn guidance into evidence.

If procurement is involved, start with the Trust Center. If you want to see the product, create an account or launch a live demo.

Trust CenterCreate accountTalk to an engineer