European regulators have designated 19 firms as critical “ICT” suppliers to the financial services sector under its DORA cyber-resilience legislation. 

The list primarily features consultancies/systems integrators (Accenture, Capgemini, Tata), data centre operators (Colt, Equinix), cloud providers (AWS, Google, Microsoft, Oracle) and software firms (IBM, Kyndryl, SAP).

It also features Bloomberg, Deutsche Telekom, Fidelity, and LSEG.

Its release comes a full 11 months after DORA took effect.

See also: LSEG cites DORA as it flags its multi-region cloud failover efforts

Their designation came after a trio of European supervisors, including the European Banking Authority (EBA), conducted a “detailed criticality assessment” across banking, insurance, pensions, securities and markets.

DORA’s 19 critical suppliers

“This assessment was carried out in line with the multifaceted criteria set out in DORA, which required a complete evaluation of a provider’s systemic importance, its role in supporting critical or important functions for financial entities, and the level of substitutability of its services,” the EBA said.

Arguably notable by their absence from the list, published on November 18, are other large SIs like Cognizant, DXC Technologies, Deloitte, Infosys, and Wipro, as well as other major data centre providers like Digital Realty. The same could potentially be argued for Cloudflare, which underpins so much of the internet’s infrastructure and which has notable impact when down.

Inclusion puts the 19 firms in scope for “direct oversight engagement” through which Europe’s financial regulators will assess whether [they] have appropriate risk management and governance frameworks in place to ensure the resilience of the services they deliver to financial entities. 

DORA took effect on January 17 2025. 

It aims to deliver a single regulatory framework for digital operational resilience across the EU’s financial services sector. DORA mandates requirements including the likes of regular “threat-led” penetration testing. Among other rules, it mandates that firms map the “length and complexity of the chain of subcontractors providing ICT services that support critical or important functions… used by the ICT third-party service provider.”

European authorities continue to work through specific industry questions about the regulation. Just this month, for example, the European Insurance and Occupational Pensions Authority (EIOPA) published its final answer to a question about what, precisely, constitutes "own systems” and “source ICT systems” (the answer, they admitted, is "not defined in DORA.")

(These "should be understood as restoring the backup data by using ICT systems for which the financial entity has full control and responsibility. When the financial entity restores the backup data, it shall use ICT systems that are not directly connected with the main one and that are securely protected from any unauthorized access or ICT corruption," it said.)

See also: Operational resilience and stress-testing for "wartime".

The link has been copied!