EU Places Tech Giants Amazon, Google Under Direct Financial Oversight as ‘Critical’ Providers Under DORA

Brussels, Belgium – November 18, 2025 – In a landmark move to bolster the digital resilience of its financial sector, the European Union has officially designated 19 major technology companies, including global powerhouses Amazon Web Services (AWS), Google Cloud, and Microsoft, as “critical third-party computing providers” under the Digital Operational Resilience Act (DORA). This recent designation grants EU-level financial regulators direct supervisory powers over these pivotal technology firms, aiming to mitigate systemic risks stemming from the sector’s increasing reliance on external technology services, making them **DORA Critical Providers**.

The Digital Operational Resilience Act (DORA): Fortifying Europe’s Financial Sector and DORA Critical Providers

The Digital Operational Resilience Act (DORA), which came into full effect on January 17, 2025, represents a comprehensive regulatory framework designed to harmonize digital operational resilience standards across the EU’s financial industry. The legislation mandates that financial entities – including banks, insurers, investment firms, and other key players – must strengthen their ability to prevent, withstand, respond to, and recover from all types of ICT-related disruptions and threats. This includes significant investments in cybersecurity and robust risk management strategies. A crucial component of DORA is its focus on managing risks associated with the outsourcing of technology functions to third-party providers, particularly those deemed critical to the financial ecosystem, and now officially recognized as **DORA Critical Providers**.

Critical ICT Providers Under the Spotlight

The European Supervisory Authorities (ESAs) – comprising the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) – have identified a select group of technology providers whose services are considered of systemic importance. The list of designated critical ICT third-party providers (CTPPs) includes major cloud infrastructure providers, data center operators, and specialized financial technology service providers, all of whom are now considered **DORA Critical Providers**.

Prominently featured among these critical providers are:

* Amazon Web Services EMEA Sarl
* Google Cloud EMEA Limited
* Microsoft Ireland Operations Limited

Other key entities named include Accenture plc, Bloomberg L.P., Capgemini SE, Colt Technology Services, Deutsche Telekom AG, Equinix (EMEA) B.V., Fidelity National Information Services, Inc., International Business Machines Corporation (IBM), InterXion HeadQuarters B.V., Kyndryl Inc., LSEG Data and Risk Limited, NTT DATA Inc., Oracle Nederland B.V., Orange SA, SAP SE, and Tata Consultancy Services Limited,.

The designation process followed a rigorous methodology mandated by DORA, evaluating providers based on criteria such as the potential systemic impact of their failure, the systemic importance of the financial entities relying on them, the concentration of this reliance, and the substitutability of their services. This careful selection ensures that only the most impactful entities, the true **DORA Critical Providers**, are brought under direct scrutiny.

Enhanced Oversight for DORA Critical Providers and New Responsibilities

With this designation, the identified technology firms will face direct oversight from EU-level financial regulators. This means the ESAs will now conduct in-depth examinations of these providers’ risk management frameworks, governance structures, and cybersecurity protocols. The objective is to ensure these **DORA Critical Providers** have robust systems in place to guarantee the resilience of the services they deliver to financial institutions, thereby mitigating the widespread impact a potential outage could have across the EU’s financial sector. This oversight includes assessing incident reporting procedures, subcontracting practices, and overall ICT security measures for these **DORA Critical Providers**.

The Growing Dependence on Technology and DORA Critical Providers

Europe’s financial industry has become increasingly dependent on sophisticated technology and cloud computing for essential operations, from payments processing and data analytics to customer services. This deep integration, while fostering innovation and efficiency, also creates vulnerabilities. Regulators have voiced concerns that a significant disruption at a widely used technology provider, such as those now designated as **DORA Critical Providers**, could cascade through multiple financial institutions simultaneously, potentially impacting the stability of the entire financial system. The recent designation reflects a proactive approach to managing these interconnected risks, especially in light of rising cyber threats and geopolitical tensions, and highlights the importance of overseeing these **DORA Critical Providers**.

Reactions and Future Implications for DORA Critical Providers

Several of the designated companies, now identified as **DORA Critical Providers**, have publicly welcomed the move, viewing it as an opportunity for enhanced collaboration and regulatory clarity. Google Cloud stated its commitment to working with customers and regulators to drive greater resilience, while Microsoft reiterated its dedication to meeting Europe’s cybersecurity standards. The EU regulators emphasized that the goal is to strengthen resilience, not to stifle competition or innovation within the technology sector. This news serves as a critical update for the financial technology landscape, particularly for these key **DORA Critical Providers**.

The implementation of DORA and the direct oversight of critical ICT third-party providers marks a significant evolution in regulatory supervision. It underscores the shared responsibility between financial institutions and their technology partners in safeguarding the integrity and operational continuity of Europe’s financial markets. As these designated providers, now officially **DORA Critical Providers**, adapt to this new oversight, the focus remains on ensuring a stable, secure, and resilient digital financial future for the European Union.