error
Subscriptions are not available for this site while you are logged into your current account.
close
Skip to main content
Submit RFP

      November 2025 marked the long-awaited release of the designated Critical ICT Third-Party Providers (CTPPs) list under the Digital Operational Resilience Act (DORA).

      The list of CTPPs designated by the European Supervisory Authorities (ESAs) will now be subject to direct supervision by the ESAs in the form of annual risk assessments, on-site inspections, compliance with reporting requirements and active response mechanisms to supervisory requests and recommendations.

      This signals the beginning of what will likely be a market-wide uplift in resilience expectations, with regulatory focus on these CTPPs setting new standards for the broader ICT service provider ecosystem.

      Regardless of formal designation, this development creates universal expectations that all ICT service providers serving EU Financial Entities (FE’s) will operate to the highest resilience standards. The ICT service provider landscape now comprises three distinct categories:

      simran-singh
      Simran Singh

      Director - Operational Resilience, KPMG in the UK

      KPMG in the UK

      Jonathan Day
      Jonathan Day

      Senior Manager - Operational Resilience , KPMG in the UK

      KPMG in the UK

      • Designated Critical Supplier

        Designated as critical by the ESAs or voluntarily opting in to the designation.

      • Critical CIF Support

        Non-designated ICT service providers supporting a critical or important function for their FE customers.

      • ICT Suppliers not supporting customer CIFs

        Non-designated ICT service providers that do not support a critical or important function for their FE customers.

      Irrespective of your firm’s position within these categories, customer expectations will be shaped by their experience with designated CTPPs. This heightened focus on resilience will rapidly establish a new baseline, making best-practice standards the de-facto strategic imperative.

      This will fundamentally change your operational approach, making proactive narrative management essential for effective engagement with FE customers and regulatory authorities, ensuring relationships are built on a foundation of sustainable trust.

      When developing your approach, consider the following elements:

      • Determine your scope comprehensively

        This will be an essential early activity to make sure that you have mapped out which business areas will be impacted and who needs involvement. This will require working down from your legal entity (or entities) down to the services your FE customers consider critical, aligning with their CIF scoping.

      • Be clear on your existing frameworks and assurance mechanisms

        Understanding the frameworks and assurance mechanisms that you already adhere to is a good starting point. While there are many specific areas of focus within DORA, you likely have existing capabilities that can serve as a baseline for development rather than starting from scratch.

      • Design for long-term sustainability

        Build a sustainable operating model that integrates the regulatory activities and expectations into BAU operations. While a project to set this up may be necessary, treating it as an ongoing programme or separating it from the business will lead to challenges in the future. Integrating it into the business as early as feasible will help set you up for success.

      Resilience is your license to operate

      Compliance with DORA is essential for all CTPPs and other non-designated providers who support their FE customers CIFs, driven by the following factors.

      • Customer Expectations

        There is a significant uplift required to meet FE customer assurance needs and position yourself as a trusted delivery partner.

      • Contractual Obligations

        ICT third-party service providers must have the appropriate terms and capabilities in place to meet the regulatory and their FE customer’s expectations.

      • Regulatory Assessment Criteria

        Article 33 requirements mean ICT providers must have policies, frameworks and procedures in place linked to a range of different DORA requirements, requiring a holistic operating model solution, embedded through the lifecycle of a customer relationship.

      However, resilience is about much more than just regulatory compliance, it is also a competitive advantage. Resilience is evolving into a fundamental prerequisite for third-party providers to the financial services sector. ​DORA raises the bar for all ICT service providers – establishing an immediate oversight framework and becoming an enabler for your EU customers’ DORA compliance.

      This presents a significant opportunity to get ahead of your competition and demonstrate yourself as a preferred partner.

      The path forward

      ICT service providers need to design and embed an operating model that is scalable and sustainable. It needs to assure customers that resilience is as important to you as it is to them.​ The below outlines the key components of an effective operating model:

      Getting ready for DORA requires CTP to enable compliance for their EU customers on various parameters, both within customer contractual commitments and assurance capabilities, as covered by Articles 28 & 30. Article 33 covers the criteria used to assess whether a critical ICT third party provider has comprehensive, sound and efficient procedures to manage ICT risk.

      Organisations that embrace operational resilience as a core capability will not only meet regulatory requirements but also advance strategic objectives. Those that do will emerge as industry leaders, able to withstand disruption and seize new opportunities.

      KPMG's specialised DORA team brings cross-border expertise to this complex challenge, helping global firms transform regulatory requirements into sustainable business advantages. Ready to elevate your approach? Connect with KPMG experts to develop a sustainable DORA approach that works across borders.

      Contacts from the jurisdictions: 

      UK – Simran Singh (Director, Operational Resilience)

      UK -  Jon Day (Senior Manager, Operational Resilience)

      France – Faycal El Belghami (Partner, Technology Advisory)

      Germany – Vaike Metzger (Partner, FS Technology & IT-Compliance)

      Belgium – Thomas Meyer (Director, Enterprise Risk Services)

      Netherlands - Brigitte Beugelaar (Partner, Technology Consulting)

      Ireland – Carmen Cronje (Director, Risk Consulting)

      Ireland - Jackie Hennessy (Partner, Risk Consulting)

      Hungary - Lukács Kornél (Partner, Technology & Cyber)

      Luxembourg - Onur Ozdemir (Partner, Business Enablers)

      Our People

      simran-singh
      Simran Singh

      Director - Operational Resilience, KPMG in the UK

      KPMG in the UK

      Jonathan Day
      Jonathan Day

      Senior Manager - Operational Resilience , KPMG in the UK

      KPMG in the UK

      Our regulatory insights

      Something went wrong

      Oops!! Something went wrong, please try again
      MTD TEST

      Get in touch

      Discover why organisations across the UK trust KPMG to make the difference and how we can help you to do the same.

      Contact us