The Critical 19: CCTP List Analysis
The Critical 19: what the CCTP list actually tells us.
Gleb Etinzon, DORA Consultancy.
A boutique consultancy addressing complex regulatory requirements in a pragmatic way. London, UK.
In Part 1, I argued that the DORA Register of Information is being treated as a filing exercise rather than a risk tool, and that the 99.87% of ICT providers below the CCTP threshold are where incidents actually originate. This piece examines the 0.13% — the 19 designated Critical ICT Third-Party Providers — and asks whether the designation itself holds up against the regulator's own statutory criteria.
The short answer: the list is defensible as a political artefact. As an analytical instrument, it has serious structural problems that financial entities need to understand before they let it shape their own concentration-risk assessment.
Applying the regulator's own criteria to the list
The criticality criteria the ESAs were obliged to apply are set out in Article 31(2) DORA. Four criteria matter:
(a) the systemic impact on the stability, continuity or quality of the provision of financial services in the event that the relevant ICT third-party service provider would face a large-scale operational failure;
(b) the systemic character or importance of the financial entities that rely on the relevant ICT third-party service provider (G-SIIs, O-SIIs and their interdependence);
(c) the reliance of financial entities on the services provided by the relevant ICT third-party service provider in relation to critical or important functions, irrespective of whether financial entities rely on those services directly or indirectly, through subcontracting arrangements;
(d) the degree of substitutability of the ICT third-party service provider, taking into account the lack of real alternatives and the difficulties in relation to partially or fully migrating the relevant data and workloads.
Mapping these against the designated 19 produces three observations that the operational-risk reader should take seriously.
Observation 1 — The subcontracting clause is the smoking gun, and it points at three providers
The “irrespective … directly or indirectly, through subcontracting arrangements” wording in Article 31(2)(c) is unambiguous. The criticality of a provider should be assessed including the chain of dependencies the financial entity has through subcontracting.
But the published list treats SAP, Oracle, FIS, Kyndryl, Accenture, Capgemini, TCS and NTT DATA as standalone CCTPs — when the public evidence shows that material parts of their service to financial entities are delivered on AWS, Azure or Google Cloud. There are only two ways to read this:
Option A — the criterion was applied properly. In that case, the criticality scores for AWS, Azure, and Google Cloud already reflect the indirect reliance routed through SAP RISE, FIS Modern Banking Platform, Kyndryl-managed Azure environments, Capgemini-Google delivery contracts, and the rest. If true, the real systemic-impact concentration sits at three providers, and the other 16 are at least partially double-counted relative to the same underlying risk.
Option B — the criterion was applied in a literal, contract-counterparty way. In which case, the indirect reliance was not aggregated upward, and the ESAs' criticality scoring understated hyperscaler concentration by attributing dependencies to the immediate counterparty rather than the underlying infrastructure host. If true, the published “Critical 19” understates the actual concentration story.
Either way, the financial entity is the one left to reconcile that gap in its own register.
Observation 2 — The substitutability test is being stretched for the consultancies and telcos
Article 31(2)(d) requires the ESAs to assess “the lack of real alternatives, even partial” and “difficulties in relation to partially or fully migrating … due either to significant financial costs, time or other resources.”
Applied strictly across the list, the results vary enormously:
AWS, Microsoft, Google Cloud: workload migration between hyperscalers is widely documented as a multi-year, multi-million-Euro programme. Substitutability test: clearly met.
SAP, Oracle: ERP and database migration is a textbook multi-year programme. Met in practice if not in principle.
Bloomberg L.P.: the only realistic alternative is LSEG (Refinitiv). Two-name market. Clearly met.
Equinix, InterXion: large competitive co-location market in EMEA. Substitutability is practically constrained by hyperscaler tenancy patterns rather than co-location lock-in per se. Marginal.
Colt, Deutsche Telekom, Orange: the wholesale telecom backbone is one of the most competitive infrastructure markets in Europe — BT, Vodafone, Lumen, Verizon, Telefónica, Liberty Global all operate. For general WAN, substitutability is high. The test is weak unless the ESAs are reading it more broadly than the text supports.
Accenture, Capgemini, IBM (services), Kyndryl, TCS, NTT DATA: the entire premise of the IT services market is provider-substitutability through competitive procurement. Big Four-plus consultancies routinely re-bid against each other on multi-year deals. Substitutability test: structurally fails unless the ESAs are interpreting “substitutability” as “ease of mid-contract switching” rather than “existence of competitors.”
If criterion (d) had been applied strictly — “lack of real alternatives” — the consultancies and the European telcos would not be on the list. Their inclusion is best explained as the ESAs prioritising sectoral coverage of the CCTP regime over a literal reading of the substitutability test.
But the substitutability picture inverts for the on-prem segment
The framing above holds for the cloud-native, hyperscaler-dependent segment of EU banking — the modernised tiers of large banks, fintechs, and digital-first insurers. That is not the entire sector.
A material share of EU financial entities is still substantially on owned data-centre estates or co-located infrastructure. This population includes Tier-1 European banks running core banking on IBM zSeries mainframes (Deutsche Bank, BNP Paribas, Société Générale, Santander, ING all maintain large mainframe estates), custodian banks where settlement-grade latency and historical data sovereignty constraints favour dedicated infrastructure, central counterparties and trading venues running matching engines in co-located cages with sub-millisecond latency to participants, and a long tail of payment institutions, mid-tier banks, and asset managers running their own racks in commercial data centres.
For this segment, the substitutability picture is very different:
Equinix and InterXion become primary infrastructure, not a layer below the hyperscalers. Co-location concentration in the major financial-centre data halls — Equinix LD4/LD5/LD6 in Slough, FR2/FR4/FR5 in Frankfurt, AM3/AM4/AM5 in Amsterdam; Digital Realty's TH1/TH2 in London Telehouse North — is genuinely systemic for trading-floor and clearing workloads. Moving a co-located trading engine across data centres is a 12–18 month programme involving cross-connect re-provisioning, latency re-baselining, and counterparty re-cabling. Substitutability: low.
Colt is the dominant low-latency international network for European trading floors. Substitutes exist, but the cross-connect topology of any given trading venue strongly favours one or two carriers, and migration is multi-quarter and disruptive. Substitutability for general WAN is high; substitutability for low-latency exchange connectivity is low.
IBM and Kyndryl mainframe maintenance is arguably the most locked-in dependency on the entire CCTP list. A mainframe COBOL replatforming programme is a 5–10 year, hundreds-of-millions-of-Euros undertaking (see the publicly disclosed transformation timelines at Lloyds Banking Group, Commonwealth Bank of Australia, and ING). Kyndryl is the spin-off that took the IBM Global Services mainframe-management book; the lock-in transferred with the contracts.
The CCTP list is a single flat list, but the actual concentration topology depends on which segment of the EU financial sector you are in. A fintech populating B_05.01 will produce a register that looks like a tree with three roots (AWS, Azure, GCP). A custodian bank or a central counterparty populating the same template will produce a register that looks more like an estate ledger: data hall, cage, cross-connect, mainframe LPAR, network carrier. Both are accurate; both are CCTP-relevant; neither is the whole picture.
The sovereignty profile of the Critical 19
The CCTP regime is officially neutral on the geopolitical origin of providers — Article 31(2) contains no jurisdictional criterion. But the published list, taken in aggregate, is a self-portrait of EU financial-sector dependence on non-EU technology.
| Designated entity | Operational HQ | Ultimate control |
|---|---|---|
| Accenture plc | Dublin (IE) | Listed NYSE; Irish-incorporated, US-financialised |
| Amazon Web Services EMEA Sarl | Luxembourg | Amazon.com Inc (US) |
| Bloomberg L.P. | New York (US) | US (private partnership) |
| Capgemini SE | Paris (FR) | EU-controlled |
| Colt Technology Services | London (UK) | UK; majority-owned by Fidelity Investments (US) |
| Deutsche Telekom AG | Bonn (DE) | EU-controlled (KfW + German Federal Government) |
| Equinix (EMEA) B.V. | Amsterdam (NL) | Equinix Inc (US, NASDAQ) |
| FIS, Inc. | Jacksonville (US) | US (NYSE) |
| Google Cloud EMEA Limited | Dublin (IE) | Alphabet Inc (US) |
| IBM Corporation | Armonk, NY (US) | US (NYSE) |
| InterXion HeadQuarters B.V. | Amsterdam (NL) | Digital Realty Trust (US, NYSE) |
| Kyndryl Inc. | New York (US) | US (NYSE) |
| LSEG Data and Risk Limited | London (UK) | UK (LSEG plc) |
| Microsoft Ireland Operations Limited | Dublin (IE) | Microsoft Corporation (US) |
| NTT DATA Inc. | Plano TX / Tokyo | Japanese (NTT Corp) |
| Oracle Nederland B.V. | Amsterdam (NL) | Oracle Corporation (US) |
| Orange SA | Paris (FR) | EU-controlled (French state significant stake) |
| SAP SE | Walldorf (DE) | EU-controlled |
| Tata Consultancy Services Limited | Mumbai (IN) | Indian (Tata Sons) |
Of 19, exactly four are EU-headquartered and EU-controlled: Capgemini, Deutsche Telekom, Orange, and SAP. Two are UK-headquartered — post-Brexit, outside the EU regulatory perimeter. Two are non-EU, non-US (NTT DATA Japanese; TCS Indian). Eleven are US-controlled, including all three hyperscalers and the colocation, managed-services, and data-vendor backbone.
The CCTP list is, in plain terms, a published map of EU financial-sector dependence on US technology, with a small Indian/Japanese/UK fringe and a four-firm EU-sovereign minority.
The sub-entity defence does not solve the extraterritoriality problem
A natural defence offered by the US-controlled CCTPs is that the designated entity is an EU sub-entity — Luxembourg-incorporated, Dutch-incorporated, Irish-incorporated — contractually counterparty in EU jurisdiction, with EU-resident data centres. This is true, and it does provide some protection on data-residency and applicable-contract-law questions. It does not solve the extraterritorial reach of US law over the parent. The CLOUD Act and FISA 702 reach the parent regardless of where the data sits or which sub-entity signed the contract.
And one EU-sovereign CCTP runs its flagship on a Chinese hyperscaler
SAP SE, one of the four genuinely EU-controlled CCTPs, publicly documents that RISE with SAP S/4HANA Cloud Private Edition runs on Microsoft Azure, AWS, Google Cloud and Alibaba Cloud. The German national-champion ERP provider, designated as an EU-systemic CCTP, lists a Chinese hyperscaler in its public infrastructure stack. EU-sovereign at the headline; multi-jurisdictional at the substrate. Even the EU-controlled CCTPs only get sovereignty as far down the stack as their own procurement choices permit.
Below the 19, the long tail is even more foreign
The 14,981 ICT providers that did not make the CCTP list are not a parochially European population either. The mid-tier and tail of EU financial-sector ICT supply is dominated by Indian IT services (Infosys, Wipro, HCL, Tech Mahindra — TCS is on the CCTP list; the others are not, but have comparable EU banking footprints), US niche fintech infrastructure (Stripe, Plaid, Twilio, MongoDB Atlas, Snowflake, Databricks), Israeli cybersecurity (Check Point, CyberArk, Wiz, Palo Alto Networks via Demisto — the Israeli vendor concentration in the EU bank security stack is striking), and Eastern European outsourcing (Romania, Poland, Czech Republic, Ukraine) that often sits invisible at the contract surface as subcontractors of larger Western European integrators.
What this means for your register
Classify your firm's actual infrastructure topology before you populate. The “Critical 19 = 3 hyperscalers” framing fits if you are cloud-native. It does not fit if a meaningful share of your critical workload sits on owned data centres, mainframe, or co-located infrastructure. Most large EU banks and almost all market-infrastructure operators are hybrid. The register entries, and therefore your exit and substitution planning, look very different for a Colt low-latency cross-connect than for an SAP RISE workload on Azure. A flat treatment will misrank your real exposure.
Follow the subcontracting chain in your own register, even if the regulator did not. When you populate template B_07.01 (Assessment of ICT services), do not let the field “Existence of alternative ICT third-party providers” be answered by the contract counterparty alone. If your SAP RISE contract specifies Azure as the underlying hyperscaler, your alternative-provider analysis must include the Azure dependency as a separate constraint. The DORA criteria themselves require following the chain; the register schema permits you to surface that.
Populate B_05.01 with ultimate-parent jurisdiction, not just contract counterparty. A register that only records the EU contract counterparty systematically understates your sovereign-exposure profile — at the CCTP layer where US parents sit behind EU sub-entities, and even more so at the long-tail layer where Indian, Israeli, and US niche providers sit behind larger contracted integrators. If your board ever needs a defensible answer to “what share of our critical ICT services is under non-EU jurisdictional control?”, the only place you can build that answer is the register, populated honestly.
Do not assume “designated CCTP” status is uniformly meaningful. Your concentration risk is overwhelmingly with the hyperscaler tier, plus Bloomberg/LSEG for market data and SAP/Oracle for ERP. The consultancies and telcos on the list are, on a strict reading of Article 31(2)(d), substitutable. Treating them with the same risk weight as your hyperscaler exposure is a mis-allocation of attention — and the register, in the way most firms have populated it, will not surface that distinction unless you actively make it.
The register is well-intentioned, the templates are reasonable, and the regulator's data quality push is sincere. But without enforcement that bites below the CCTP threshold, without firm-internal use of the register as a live risk tool rather than an annual filing, and without supplier disclosure that is register-grade by default rather than gated by sales, the exercise diminishes to a formality. The firms that treat it as one will discover the cost when the next ION-Group-shaped incident arrives — from the tail, not from the top of the list.
For help with DORA challenges above, as well as others, please reach out to the team.
Ready to discuss your DORA compliance challenges?
Our team of experienced consultants is here to help.
Get in Touch