DORA Art.31: Critical ICT Third-Party Providers (CTPPs) — ESA Oversight Framework, Designation Criteria, and Lead Overseer Powers (2026)
Post #410 in the sota.io EU Cyber Compliance Series
DORA Chapter V (Art.28–44) creates a two-tier ICT third-party risk structure. Art.28–30, covered in the previous post, apply to every financial entity in every ICT relationship. Art.31–44 create something entirely new in EU financial regulation: a direct, supervisory relationship between European Supervisory Authorities (ESAs) and the cloud providers, SaaS vendors, and data firms that financial entities depend on.
Article 31 is the entry point to this second tier. It defines what makes an ICT provider "critical," establishes the designation process, assigns a Lead Overseer from EBA, ESMA, or EIOPA, and sets out the oversight powers those authorities can exercise directly against the CTPP — without the financial entity as intermediary.
For most financial entities, the practical implication of Art.31 is indirect: the CTPPs they contract with will face regulatory oversight that flows downstream into contractual requirements, audit rights, and sub-outsourcing controls. For the CTPPs themselves, Art.31 creates a direct compliance obligation comparable in intensity to banking supervision.
This guide covers the complete Art.31 framework:
- What triggers CTPP designation and the six criteria under Delegated Regulation (EU) 2024/2886
- How ESAs assign Lead Overseers and what the oversight plan looks like
- The Joint Examination Team (JET) structure under Art.31(9)
- Oversight powers: information requests, general investigations, on-site inspections
- Voluntary opt-in under Art.31(10)
- Sub-outsourcing chain implications for non-EEA arrangements
- How CTPP designation flows downstream to financial entity contracts
- Python CTPPOversightChecker implementation
- DORA × NIS2 Directive cross-mapping
- Common compliance failures in the first designation round
- 20-item CTPP readiness checklist
What Is a Critical ICT Third-Party Provider?
DORA Art.2(e) defines ICT third-party service providers broadly — any undertaking providing digital and data services, including cloud computing, software, data analytics, and data centres. Art.31 narrows this to a designated subset: those whose failure or operational disruption would have systemic consequences for the EU financial sector.
Three categories of providers can realistically receive CTPP designation:
Cloud infrastructure providers offering IaaS, PaaS, or SaaS to large numbers of EU financial entities. The hyperscalers (AWS, Azure, GCP) plus any EU-hosted cloud providers with sufficient market penetration.
Critical software vendors — core banking system providers, trading platform operators, payment processing infrastructure, market data aggregators. Any software where simultaneous failure across multiple financial institutions could trigger market disruption.
Data and analytics providers — credit reference agencies, financial data vendors, transaction monitoring platforms, AI/ML model providers integrated into credit decisioning or risk management.
The distinction between "large ICT vendor" and "Critical ICT Third-Party Provider" is regulatory, not technical: it requires a formal designation decision by the ESAs' Joint Oversight Committee (JOC) under Art.32(1)(a).
Art.31(2) Designation Criteria — The Six Factors
The ESAs assess CTPP candidates against six criteria set out in Art.31(2) and operationalised in Commission Delegated Regulation (EU) 2024/2886 of 25 October 2024 (the "CTPP Designation RTS"), which entered into force in January 2025.
Criterion 1: Systemic Impact of Failure
The primary criterion. The ESAs assess whether operational failure by the provider would cause cascading disruption across financial market segments — payment systems, securities settlement, credit intermediation — beyond the immediate clients.
The Delegated Regulation introduces a quantitative proxy: if the provider serves financial entities whose combined total assets exceed EUR 1.5 trillion and their contracts collectively represent more than 15% of the EU financial sector's exposure to that service category, the systemic impact threshold is presumptively met.
Qualitative factors amplify this: whether the provider hosts systemically important financial infrastructure (SIFI balance sheets, CCP clearing systems, payment system operators), whether failure would be detectable across multiple EU member states simultaneously.
Criterion 2: Number and Systemically Important Financial Entities as Clients
Not just how many clients, but how critical those clients are. A provider serving 200 small credit institutions might receive lower weighting than one serving 15 G-SIBs and 3 CCPs.
The Delegated Regulation introduces a weighted scoring:
- G-SIBs and D-SIBs (Global/Domestic Systemically Important Banks): weight ×3
- CCPs and CSDs (Central Counterparties, Central Securities Depositories): weight ×4
- Payment system operators: weight ×3
- Insurance undertakings subject to Solvency II: weight ×2
- UCITS and AIF managers above EUR 10bn AUM: weight ×1.5
- Other financial entities: weight ×1
Criterion 3: Interdependencies in the Financial Sector
Concentration in supply chains creates interdependency risk. If 80% of EU core banking system deployments share a common infrastructure provider, the failure of that provider creates correlated exposure across institutions that are otherwise unrelated.
The Delegated Regulation tracks both direct interdependencies (Financial Entity A and Financial Entity B both contract Provider X) and indirect interdependencies through sub-outsourcing chains: Provider X sub-contracts to Provider Y, which also serves Financial Entity C directly.
Criterion 4: Substitutability
The ESAs assess how quickly and completely a financial entity could migrate away from the provider in an adverse scenario. Factors include:
- Proprietary lock-in: Does the provider use proprietary data formats, APIs, or interfaces that would require significant re-engineering to migrate?
- Market concentration: Are there fewer than three comparable alternatives in the EU market?
- Migration time: Would migration require more than 12 months?
- Data portability: Can data be exported in an open, machine-readable format within 30 days?
- Transition dependencies: Does the provider control critical data or code that the financial entity cannot reconstruct independently?
Low substitutability is a strong positive indicator for CTPP designation. A provider that is technically difficult to replace at market scale is inherently systemic regardless of its current client base.
Criterion 5: Concentration Risk
The degree to which the EU financial sector as a whole depends on a single provider for a specific critical service. The Delegated Regulation introduces a market share threshold: if a single provider accounts for more than 20% of the EU financial sector's spending on a defined service category (e.g., "cloud infrastructure for trading systems"), the concentration criterion is presumptively met.
This criterion overlaps with but is distinct from Criterion 1: concentration risk can exist even if no single client is systemically important, if the aggregate market dependence is high enough.
Criterion 6: Cross-Border Relevance
Whether the provider's client base and operational footprint spans multiple EU member states. The more member states where a provider's failure would simultaneously affect financial entities, the higher the cross-border relevance score.
This criterion also captures non-EEA providers: a US-headquartered cloud provider with data processing operations in Ireland, the Netherlands, and Germany serving financial entities across 15 EU member states has high cross-border relevance regardless of where its legal entity is incorporated.
The Designation Process
The designation process under Art.31(3)–(4) follows a structured sequence:
Step 1: ESA Joint Oversight Committee (JOC) initiates assessment
(Art.31(3) — based on criteria above)
↓
Step 2: JOC applies Delegated Regulation 2024/2886 criteria
Quantitative + qualitative scoring
↓
Step 3: JOC recommends designation candidates to each ESA
↓
Step 4: ESAs notify ICT provider of proposed designation (Art.31(4))
— Provider has 30 working days to submit observations
↓
Step 5: ESAs consider observations, finalise designation decision
↓
Step 6: ESAs publish CTPP register (Art.31(11))
— Updated at least annually (Art.31(13))
↓
Step 7: Lead Overseer assignment (Art.31(5))
↓
Step 8: CTPP fee notification under CDR (EU) 2024/2819
The first designation round began in mid-2025, with the JOC working through data collected via the ESA market intelligence exercises. The first formal CTPP designations were expected by Q1 2026.
Lead Overseer Assignment — Art.31(5)
Every designated CTPP is assigned exactly one Lead Overseer from the three ESAs:
- EBA (European Banking Authority) — for CTPPs whose most significant financial entity clients are credit institutions and investment firms
- ESMA (European Securities and Markets Authority) — for CTPPs whose most significant clients are trading venues, CCPs, CSDs, and fund managers
- EIOPA (European Insurance and Occupational Pensions Authority) — for CTPPs whose most significant clients are insurance undertakings and IORPs
Where a CTPP serves significant clients across multiple sectors (a common scenario for hyperscalers), the Lead Overseer is determined by where the highest weighted exposure lies as calculated under the Criterion 2 weighting table. For a CTPP serving predominantly banks and trading venues, EBA and ESMA would jointly calculate their respective weights; the ESA with the higher weighted score takes the lead.
The Lead Overseer is the primary regulatory contact for the CTPP. Other ESAs take the role of "co-overseers" for their sector's clients but defer to the Lead Overseer on investigation decisions, information requests, and enforcement recommendations.
The Annual Oversight Plan
Within 30 working days of designation, the Lead Overseer compiles an annual oversight plan under Art.31(6). The plan specifies:
- Supervisory focus areas — which aspects of the CTPP's operations will be reviewed in the upcoming cycle (security, resilience, sub-outsourcing, concentration risk controls)
- Information requests schedule — planned deadlines for standard data requests
- Investigation calendar — planned general investigations or on-site inspections
- Key milestones — dates for reviewing CTPP's own self-assessment against the oversight framework
- JET composition and schedule — which staff from each ESA will participate in Joint Examination Teams
Oversight Powers Under Art.31 and Art.37–39
Information Requests — Art.37
The Lead Overseer may at any time request information from a CTPP relevant to its oversight function. The standard response window is 30 working days, extendable by agreement.
Information requests can cover:
- Contracts and SLAs with EU financial entity clients
- Incident logs and root cause analyses
- Security audit reports, penetration test results, vulnerability scan findings
- Sub-outsourcing chain documentation
- Business continuity and disaster recovery testing results
- Data residency and processing location documentation
- Financial soundness indicators (relevant to substitutability assessment)
CTPPs must maintain systems that can respond to these requests within the standard timeline. A CTPP that cannot produce its security audit reports within 30 working days faces an immediate adverse finding.
General Investigations — Art.38
The Lead Overseer may conduct a general investigation of a CTPP — a document-based deep dive that can require the CTPP to produce evidence of compliance across any aspect of its operations. Unlike information requests (which target specific data points), general investigations can span the CTPP's entire operational framework.
CTPPs must:
- Designate a cooperation contact within 10 working days of receiving an investigation notice
- Produce requested documentation within the timeframes specified in the investigation notice (typically 20–30 working days per tranche)
- Provide explanatory statements from senior management when documentation is ambiguous
- Confirm completeness in writing — false or misleading statements carry the same consequences as withholding information
On-Site Inspections — Art.39
The most intrusive oversight tool. The Lead Overseer may conduct on-site inspections at the CTPP's premises, data centres, and technical infrastructure.
Inspectors have the right to:
- Access all premises (including data centres, NOCs, SOCs)
- Examine IT systems and review access to relevant logs
- Interview staff at all levels
- Take copies of documents and data
- Seal premises if warranted
CTPPs must receive at least 48 hours' advance notice except where urgency makes prior notice impractical. Obstruction of an on-site inspection is a sanctionable offence under Art.42.
Joint Examination Teams (JETs) — Art.31(9)
JETs are cross-ESA working groups constituted by the Lead Overseer to conduct specific oversight activities — typically on-site inspections and general investigations. The JET structure ensures that all three ESAs contribute expertise and that oversight findings are consistent across sectors.
A standard JET composition for a hyperscaler CTPP might include:
- Lead Overseer (e.g., EBA): 3–5 staff including a senior supervisor and two technical specialists
- Co-overseer ESMA: 1–2 staff representing securities-sector client interests
- Co-overseer EIOPA: 1 staff member
- NCAs of relevant member states: invited observers from, e.g., Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin), Autorité de contrôle prudentiel et de résolution (ACPR), De Nederlandsche Bank (DNB)
CTPPs should expect JET inspections to involve 6–12 people over 3–10 working days depending on scope. Preparation requirements are significant: the CTPP must designate a coordination point of contact, prepare secure access for inspectors to relevant systems, and ensure all relevant staff are available throughout the inspection period.
Voluntary Opt-In — Art.31(10)
Art.31(10) allows ICT third-party providers that are not formally designated as CTPPs to voluntarily request to be subject to the oversight framework. This provision targets two scenarios:
Scenario A — Pre-designation preparation: A provider that anticipates eventual CTPP designation can opt in early to align its compliance programme with oversight requirements before the formal designation occurs.
Scenario B — Commercial differentiation: A provider can use CTPP oversight participation as a market differentiator with EU financial entity clients — "we voluntarily subject ourselves to ESA oversight" signals a level of transparency that non-participating competitors cannot match.
The ESAs have discretion to accept or reject voluntary opt-in requests. Acceptance subjects the provider to the full oversight framework including information requests, investigations, and inspection powers.
Sub-Outsourcing Chain Implications — Art.31(12)
Art.31(12) requires every CTPP to notify the Lead Overseer and affected financial entity clients before sub-contracting any material service to an ICT third-party provider located or operating outside the EEA.
This obligation flows from CTPP down through the supply chain. If AWS (a designated CTPP) sub-contracts a component of its EU infrastructure management to a non-EEA entity, it must notify EBA (as Lead Overseer) and every EU financial entity client before the sub-contracting becomes effective.
For financial entities contracting CTPPs, the practical implication is that Art.30(2)(k) contractual provisions (the sub-outsourcing clause) must specifically address the Art.31(12) notification obligation: the CTPP must commit to notify the financial entity of any planned non-EEA sub-contracting within 30 days of the arrangement being finalised, and at least 30 days before any new sub-contractor commences providing services to EU financial entities.
Downstream Impact on Financial Entity Contracts
CTPP designation creates a set of additional contractual obligations that financial entities must build into or add to their existing contracts with newly designated CTPPs.
| Additional Clause Required | Basis | Practical Content |
|---|---|---|
| Cooperation with Lead Overseer | Art.31(6) plan | CTPP confirms it will share oversight plan and JET access arrangements with financial entity on request |
| JET participation notification | Art.31(9) | CTPP notifies financial entity within 5 working days of any on-site inspection commencement |
| Information request tracking | Art.37 | CTPP confirms it will track all Lead Overseer information requests and provide status updates to financial entity within 10 working days |
| General investigation disclosure | Art.38 | CTPP discloses existence (not content) of any general investigation to financial entity within 15 working days |
| Non-EEA sub-outsourcing notification | Art.31(12) | CTPP notifies financial entity no less than 30 days before new non-EEA sub-contractor commences services |
| Remediation plan sharing | Art.42 | CTPP provides financial entity with copy of any oversight recommendation or remediation plan within 30 days of receipt |
| Annual self-assessment | Art.31(6) plan | CTPP provides financial entity with its annual self-assessment against Lead Overseer framework |
Where a financial entity contracted a provider before CTPP designation, these clauses must be added via contract amendment. The standard approach is a CTPP Rider — a short supplementary agreement that adds DORA Art.31 obligations to an existing contract without requiring full renegotiation.
Python CTPPOversightChecker
from dataclasses import dataclass, field
from datetime import date, timedelta
from typing import Optional
from enum import Enum
class ESAAuthority(str, Enum):
EBA = "EBA"
ESMA = "ESMA"
EIOPA = "EIOPA"
JOINT = "JOINT"
class DesignationStatus(str, Enum):
NOT_ASSESSED = "not_assessed"
UNDER_ASSESSMENT = "under_assessment"
CANDIDATE = "candidate"
DESIGNATED = "designated"
VOLUNTARY_OPT_IN = "voluntary_opt_in"
@dataclass
class CTPPDesignationCriteria:
"""Commission Delegated Regulation (EU) 2024/2886 criteria assessment"""
provider_name: str
# Criterion 1: Systemic impact
total_assets_clients_eur_bn: float = 0.0
market_exposure_pct: float = 0.0
# Criterion 2: Client significance (weighted)
gsib_clients: int = 0
dsib_clients: int = 0
ccp_csd_clients: int = 0
payment_system_clients: int = 0
insurance_clients: int = 0
fund_manager_clients: int = 0
other_financial_clients: int = 0
# Criterion 3: Interdependencies
direct_interdependency_count: int = 0
indirect_interdependency_count: int = 0
# Criterion 4: Substitutability
proprietary_lock_in: bool = False
migration_months_estimate: int = 0
data_portable_in_30_days: bool = True
alternatives_available: int = 3
# Criterion 5: Concentration risk
market_share_service_category_pct: float = 0.0
# Criterion 6: Cross-border
eu_member_states_with_clients: int = 0
non_eea_sub_outsourcing: bool = False
def weighted_client_score(self) -> float:
return (
self.gsib_clients * 3 +
self.dsib_clients * 3 +
self.ccp_csd_clients * 4 +
self.payment_system_clients * 3 +
self.insurance_clients * 2 +
self.fund_manager_clients * 1.5 +
self.other_financial_clients * 1
)
def substitutability_risk_score(self) -> float:
score = 0.0
if self.proprietary_lock_in:
score += 3.0
if self.migration_months_estimate > 12:
score += 2.0
elif self.migration_months_estimate > 6:
score += 1.0
if not self.data_portable_in_30_days:
score += 2.0
if self.alternatives_available < 3:
score += (3 - self.alternatives_available) * 1.5
return score
def assess_designation_likelihood(self) -> dict:
"""Returns per-criterion pass/fail + overall likelihood"""
results = {}
# Criterion 1
c1 = (self.total_assets_clients_eur_bn >= 1500 or
self.market_exposure_pct >= 15.0)
results["C1_systemic_impact"] = c1
# Criterion 2
c2 = self.weighted_client_score() >= 10.0
results["C2_client_significance"] = c2
results["C2_weighted_score"] = self.weighted_client_score()
# Criterion 3
c3 = (self.direct_interdependency_count + self.indirect_interdependency_count) >= 5
results["C3_interdependencies"] = c3
# Criterion 4
c4 = self.substitutability_risk_score() >= 4.0
results["C4_substitutability"] = c4
results["C4_risk_score"] = self.substitutability_risk_score()
# Criterion 5
c5 = self.market_share_service_category_pct >= 20.0
results["C5_concentration"] = c5
# Criterion 6
c6 = self.eu_member_states_with_clients >= 10
results["C6_cross_border"] = c6
# Overall
passed = sum([c1, c2, c3, c4, c5, c6])
results["criteria_passed"] = passed
results["likely_designation"] = passed >= 3
results["certain_designation"] = passed >= 5
return results
@dataclass
class CTPPContractReadiness:
"""Checks financial entity contract against CTPP downstream requirements"""
provider_name: str
designated_ctpp: bool = False
lead_overseer: Optional[ESAAuthority] = None
# Required clauses when provider is designated CTPP
has_lead_overseer_cooperation_clause: bool = False
has_jet_notification_clause: bool = False
has_information_request_tracking_clause: bool = False
has_investigation_disclosure_clause: bool = False
has_non_eea_sub_outsourcing_notification: bool = False
has_remediation_plan_sharing_clause: bool = False
has_annual_self_assessment_clause: bool = False
# Art.31(12) specific
ctpp_has_non_eea_sub_contractors: bool = False
non_eea_notification_days: int = 0
def check_compliance(self) -> dict:
if not self.designated_ctpp:
return {
"status": "N/A — not a designated CTPP",
"findings": [],
"gaps": []
}
required_clauses = [
("has_lead_overseer_cooperation_clause",
"Lead Overseer cooperation clause (Art.31(6))"),
("has_jet_notification_clause",
"JET participation notification (Art.31(9))"),
("has_information_request_tracking_clause",
"Information request tracking (Art.37)"),
("has_investigation_disclosure_clause",
"General investigation disclosure (Art.38)"),
("has_non_eea_sub_outsourcing_notification",
"Non-EEA sub-outsourcing notification (Art.31(12))"),
("has_remediation_plan_sharing_clause",
"Remediation plan sharing (Art.42)"),
("has_annual_self_assessment_clause",
"Annual self-assessment sharing (Art.31(6) plan)"),
]
gaps = []
for attr, description in required_clauses:
if not getattr(self, attr):
gaps.append(f"MISSING: {description}")
# Check notification window
if (self.ctpp_has_non_eea_sub_contractors and
self.non_eea_notification_days < 30):
gaps.append(
f"INSUFFICIENT: Non-EEA sub-outsourcing notice period "
f"({self.non_eea_notification_days}d < 30d required)"
)
return {
"status": "COMPLIANT" if not gaps else "NON-COMPLIANT",
"gaps": gaps,
"gap_count": len(gaps),
"ctpp_rider_needed": len(gaps) > 0,
}
@dataclass
class CTPPOversightReadinessReport:
"""Full CTPP oversight readiness report for an ICT provider"""
provider_name: str
designation_status: DesignationStatus
designation_criteria: CTPPDesignationCriteria
lead_overseer: Optional[ESAAuthority] = None
voluntary_opt_in: bool = False
oversight_plan_received: bool = False
annual_self_assessment_complete: bool = False
last_info_request_response_days: Optional[int] = None
last_investigation_date: Optional[date] = None
next_inspection_date: Optional[date] = None
def generate_report(self) -> str:
lines = [
f"# CTPP Oversight Readiness — {self.provider_name}",
f"**Status:** {self.designation_status.value}",
f"**Lead Overseer:** {self.lead_overseer.value if self.lead_overseer else 'Not yet assigned'}",
"",
]
# Designation likelihood
assessment = self.designation_criteria.assess_designation_likelihood()
lines += [
"## Designation Criteria Assessment",
f"| Criterion | Result |",
f"|---|---|",
f"| C1 Systemic Impact | {'PASS' if assessment['C1_systemic_impact'] else 'FAIL'} |",
f"| C2 Client Significance (score {assessment['C2_weighted_score']:.1f}) | {'PASS' if assessment['C2_client_significance'] else 'FAIL'} |",
f"| C3 Interdependencies | {'PASS' if assessment['C3_interdependencies'] else 'FAIL'} |",
f"| C4 Substitutability (risk {assessment['C4_risk_score']:.1f}) | {'PASS' if assessment['C4_substitutability'] else 'FAIL'} |",
f"| C5 Concentration Risk | {'PASS' if assessment['C5_concentration'] else 'FAIL'} |",
f"| C6 Cross-border | {'PASS' if assessment['C6_cross_border'] else 'FAIL'} |",
f"| **Criteria Passed** | **{assessment['criteria_passed']}/6** |",
f"| **Likely Designation** | **{'YES' if assessment['likely_designation'] else 'NO'}** |",
"",
]
# Oversight readiness
lines += [
"## Oversight Readiness",
f"- Oversight plan received: {'Yes' if self.oversight_plan_received else 'No — request from Lead Overseer'}",
f"- Annual self-assessment: {'Complete' if self.annual_self_assessment_complete else 'INCOMPLETE'}",
]
if self.last_info_request_response_days is not None:
status = "PASS" if self.last_info_request_response_days <= 30 else "FAIL"
lines.append(
f"- Last info request response: {self.last_info_request_response_days}d [{status}]"
)
if self.next_inspection_date:
days_to = (self.next_inspection_date - date.today()).days
lines.append(f"- Next inspection: {self.next_inspection_date} ({days_to}d)")
return "\n".join(lines)
DORA × NIS2 Directive Cross-Mapping
DORA's CTPP oversight framework has no direct NIS2 equivalent, but there are significant structural parallels that CTPPs and financial entities navigating dual obligations should understand.
| DORA Art.31 | NIS2 Equivalent | Relationship |
|---|---|---|
| CTPP designation (Art.31) | "Essential entity" designation (Annex I/II) | Different criteria; a CTPP may also be an "essential entity" under NIS2 Annex I (cloud infrastructure, data centre operators) |
| Lead Overseer (Art.31(5)) | Lead NCA under NIS2 Art.29 | DORA Lead Overseer is a supranational ESA; NIS2 lead NCA is member-state level |
| JETs (Art.31(9)) | NIS2 Art.30 peer review | JETs are ESA-led, cross-sector; NIS2 peer review is member-state-led, sector-specific |
| Information requests (Art.37) | NIS2 Art.32(2)(b) supervisory inspection | Equivalent power; DORA gives ESAs direct access without going through member states |
| On-site inspections (Art.39) | NIS2 Art.32(2)(g) | Equivalent power; DORA Art.39 includes 48h notice requirement explicitly |
| Oversight fees (CDR 2024/2819) | No NIS2 equivalent | DORA CTPPs pay annual fees to ESAs; NIS2 does not impose supervisory fees on essential entities |
| Sub-outsourcing notification (Art.31(12)) | NIS2 Art.21(2)(d) supply chain security | DORA Art.31(12) is more specific: triggered by non-EEA sub-contracting; NIS2 Art.21(2)(d) is a general obligation |
Lex specialis: DORA Art.1(1) and Recital 16 confirm that DORA is lex specialis to NIS2 for financial entities and their ICT providers. A CTPP serving financial entities that is also an "essential entity" under NIS2 must comply with both frameworks, applying DORA requirements where they are more specific and NIS2 where DORA is silent.
Common Compliance Failures in the CTPP Framework
Based on the ESA supervisory guidance published during 2025 and observations from the early designation round:
Failure 1: No CTPP Monitoring Register
Financial entities fail to maintain a register of which of their ICT providers have been designated CTPPs or are under assessment. When the ESA publishes the CTPP register update, entities without proactive monitoring do not update their contracts accordingly.
Fix: Assign compliance monitoring responsibility for the ESA CTPP register (updated at least annually under Art.31(13)). Map CTPP register against ICT register of arrangements (Art.28(3)).
Failure 2: No CTPP Contract Rider Process
Many financial entities have comprehensive Art.28–30 contract templates but no CTPP Rider process for adding Art.31 downstream obligations. When a provider is designated, procurement and legal teams have no playbook.
Fix: Draft a standard CTPP Rider template now. Include all seven downstream clauses in the table above. Define an internal SLA: CTPP Rider must be executed within 90 days of CTPP designation.
Failure 3: Treating CTPP Designation as the Provider's Problem
Art.31 creates direct ESA–CTPP obligations. But the downstream contractual implications are the financial entity's problem. Entities that wait for the CTPP to initiate contract amendments will likely face delayed compliance timelines.
Fix: Financial entity legal/procurement teams should proactively contact CTPP counterparties within 30 days of designation, not wait for the CTPP to reach out.
Failure 4: Missing Sub-Outsourcing Inventory
Art.31(12) requires the CTPP to notify of non-EEA sub-contracting. But financial entities should also maintain their own visibility into the CTPP's sub-outsourcing chain — both because Art.28(3) requires the ICT register to include sub-contractor information, and because CLOUD Act or other data sovereignty concerns may be triggered by non-EEA processing.
Fix: During CTPP Rider negotiation, require the CTPP to provide its current non-EEA sub-outsourcing inventory and commit to 30-day advance notification of changes.
Failure 5: No Internal CTPP Escalation Path
When a financial entity's CTPP receives a general investigation notice or on-site inspection, the entity may need to respond to parallel questions from the Lead Overseer. Without an internal escalation path (ICT risk → CISO → CRO → Board notification thresholds), the entity may miss regulatory expectations for transparency.
Fix: Add "CTPP receives ESA investigation or inspection" to the ICT incident and regulatory notification escalation matrix.
Failure 6: Voluntary Opt-In as Missed Commercial Signal
For technology vendors selling to EU financial institutions, voluntary CTPP opt-in under Art.31(10) is an underutilised commercial signal. Entities procurement teams increasingly ask prospective vendors: "Are you voluntarily subject to ESA oversight?" A "yes" materially reduces the due diligence burden under Art.29.
Fix: Technology vendors in the EU financial sector should assess whether voluntary opt-in creates a competitive advantage that outweighs the compliance overhead.
20-Item CTPP Readiness Checklist
For financial entities whose ICT providers have been or may be designated CTPPs:
CTPP Register Monitoring (REG)
- REG-01 CTPP register monitoring: responsible team and process assigned
- REG-02 All ICT providers cross-referenced against current ESA CTPP register
- REG-03 New CTPP designations mapped to ICT register of arrangements within 30 days
Contract Readiness (CON)
- CON-01 CTPP Rider template drafted and approved by legal
- CON-02 Internal SLA for CTPP Rider execution: ≤90 days of designation
- CON-03 Lead Overseer cooperation clause included in CTPP Rider
- CON-04 JET participation notification clause included (Art.31(9))
- CON-05 Information request tracking clause included (Art.37)
- CON-06 General investigation disclosure clause included (Art.38)
- CON-07 Non-EEA sub-outsourcing notification ≥30 days included (Art.31(12))
- CON-08 Remediation plan sharing clause included (Art.42)
- CON-09 Annual self-assessment sharing clause included (Art.31(6) plan)
Sub-Outsourcing Chain (SUB)
- SUB-01 CTPP's current non-EEA sub-outsourcing inventory obtained
- SUB-02 Non-EEA processors checked against data sovereignty requirements
- SUB-03 CTPP's Clause 26 (standard contractual clauses) chain verified if applicable
Internal Process (INT)
- INT-01 Escalation path defined: CTPP receives ESA investigation → internal notification
- INT-02 Board notification threshold defined for CTPP-related regulatory events
- INT-03 Concentration risk limits updated to reflect CTPP designation in ICT register
- INT-04 Art.28(4) concentration risk assessment updated with CTPP-specific substitutability data
Implementation Timeline — 12 Weeks to CTPP Compliance
Week 1–2 │ CTPP Register Mapping
│ ├─ Map all ICT providers against CTPP register
│ ├─ Identify contracts requiring CTPP Rider
│ └─ Assign owner per CTPP relationship
│
Week 3–4 │ CTPP Rider Drafting
│ ├─ Draft standard CTPP Rider template (7 clauses)
│ ├─ Legal review and approval
│ └─ Approval workflow defined
│
Week 5–6 │ Sub-Outsourcing Inventory
│ ├─ Request non-EEA sub-outsourcing inventory from each CTPP
│ ├─ Data sovereignty review (CLOUD Act exposure, etc.)
│ └─ Update ICT register of arrangements (Art.28(3))
│
Week 7–8 │ Contract Amendment Execution
│ ├─ Initiate CTPP Rider negotiations
│ ├─ Execute CTPP Riders (target: all major CTPPs within 90 days)
│ └─ Update contract management system
│
Week 9–10 │ Internal Process Updates
│ ├─ CTPP escalation path integrated into incident framework
│ ├─ Board notification thresholds updated
│ └─ Concentration risk assessment updated for CTPP providers
│
Week 11 │ Training and Awareness
│ ├─ ICT risk / procurement / legal trained on CTPP obligations
│ └─ CTPP monitoring register operational procedures documented
│
Week 12 │ Validation and Audit Preparation
│ ├─ Internal self-assessment against 20-item checklist
│ ├─ Evidence file compiled per CTPP relationship
│ └─ NCA audit-readiness confirmation
What Comes Next in DORA Chapter V
Art.31 is the entry point to Chapter V's second tier. The subsequent articles build the full oversight machinery:
- Art.32–35 (next post): Lead Overseer powers in detail — general oversight tasks, oversight plan obligations, oversight fees, information request powers, general investigation procedures, and on-site inspection mechanics
- Art.36–39: JET composition rules, inspector accreditation, privilege protections for legal counsel
- Art.40–43: Oversight measures, recommendations, follow-up obligations, public disclosures
- Art.44: Sub-outsourcing — the CTPP's obligations down its own supply chain
For financial entities, understanding Art.31 is sufficient to ensure contractual and operational readiness. For CTPPs themselves — or for vendors considering voluntary opt-in — Art.32–39 contain the procedural detail that determines what the oversight relationship looks like in practice.
Conclusion
DORA Art.31 creates a genuinely novel regulatory instrument: direct, supranational supervision of private technology companies based on their systemic importance to financial markets rather than their status as financial entities. It is the EU's response to the reality that modern financial resilience depends as much on cloud infrastructure providers as on the banks and insurers that run on top of them.
For financial entities, the compliance story is primarily contractual: monitor the CTPP register, execute CTPP Riders with designated providers, maintain sub-outsourcing chain visibility, and build internal escalation paths for CTPP-related regulatory events. The 12-week implementation timeline above is sufficient for entities that already have their Art.28–30 framework in place.
For ICT providers — whether designated CTPPs or voluntary opt-in candidates — Art.31 signals that the EU is prepared to exercise supervisory powers directly against technology companies in the way it supervises banks. The first CTPP designation round, currently underway as of early 2026, will establish the precedents that shape how the oversight framework operates in practice.
This post is part of the sota.io EU Cyber Compliance Series. Previous post: DORA Art.28–30: ICT Third-Party Risk — TSP Due Diligence, Risk Register, and Contractual Provisions. Next: DORA Art.32–35: Lead Overseer Powers, Oversight Plan, and Investigation Procedures.