The Vendor Is Now Inside The Perimeter
Europe’s cloud-risk debate has moved out of the white paper phase.
Under the Digital Operational Resilience Act, the European Supervisory Authorities now have an EU-level oversight framework for critical ICT third-party providers. That means technology vendors that serve enough of the financial sector can be designated as critical, assigned a Lead Overseer, examined through joint supervisory teams, and pushed to improve risk controls.
The useful shift is not semantic. For years, banks were told to manage cloud and outsourcing risk through contracts, exit plans, vendor questionnaires and board accountability. DORA keeps that responsibility. It also admits the obvious: if too many banks, insurers and market firms depend on the same external technology providers, the risk is no longer just a bank-by-bank vendor problem.
It is infrastructure risk.
The European Banking Authority’s DORA oversight page says the regime is designed to address systemic and concentration risk from financial-sector reliance on a limited number of ICT providers. The EBA, EIOPA and ESMA designate critical providers and act as Lead Overseers, while the framework complements rather than replaces firms’ own third-party risk duties (EBA DORA oversight).
That last clause matters. Banks do not get to outsource accountability because Brussels now watches the vendor. DORA creates a second line of sight, not a liability escape hatch.
Europe is not regulating cloud providers like banks. It is regulating their failure modes like financial infrastructure.
From Policy To Named Supervision
The regime is already operational. On November 18, 2025, the ESAs published the first list of designated critical ICT third-party providers under DORA. The designation process used financial entities’ Registers of Information, then applied a criticality assessment with competent authorities across banking, insurance, pensions, securities and markets. Providers assessed as critical were notified, had a right to be heard, and then received final designation decisions (EBA press release, November 18, 2025).
That sequence is the operational story. DORA is not just saying “cloud concentration is risky.” It is building the information supply chain needed to identify who matters, why they matter, who oversees them, and what happens next.
The oversight mechanics are more intrusive than ordinary vendor management. The EBA describes DORA oversight activities as designation, risk assessment, planning, execution of oversight examinations, and issuance plus follow-up of recommendations. It says each critical provider can have a Joint Examination Team, coordinated under a Lead Overseer, and that the ESAs operate through a single joint directorate for this work (EBA DORA oversight).
The broader EBA DORA activity page is blunter about powers. It says Lead Overseers may request information from critical providers, conduct off-site investigations and on-site inspections, impose penalties, and issue recommendations (EBA DORA).
That changes the vendor conversation. A critical cloud, data, security or processing provider is no longer only negotiating with procurement and bank compliance teams. It is entering a supervisory workflow.
The providers still are not banks. They do not take deposits. They do not hold capital against credit portfolios. They do not become prudentially supervised financial institutions.
But their resilience controls now sit close enough to finance that regulators want direct evidence, not second-hand comfort letters.
Why Banks Should Not Relax
The clean but wrong reading is that DORA centralizes the hard part at the vendor level.
It does not.
The EBA’s own language says the oversight framework complements financial entities’ responsibility for ICT risk. ECB Banking Supervision says the same thing in its 2026-28 supervisory priorities. The ECB notes recurring weaknesses in cybersecurity strategies, cyber incident management and third-party risk frameworks, and says supervisors will carry out two on-site inspection campaigns focused on cybersecurity and third-party risk management. It also plans a deep dive into banks’ preparedness for disruption at a major cloud service provider (ECB supervisory priorities 2026-28).
That is the more painful message for banks.
DORA does not reduce internal work. It changes the evidence regulators will expect. Banks still need accurate service inventories, contract mapping, concentration analysis, incident processes, tested exits, and board-level ownership. The fact that a provider is critical may make the bank’s problem clearer, not smaller.
The ECB also says DORA critical-provider oversight is meant to complement, not substitute for, sound third-party risk management. In plain English: if a cloud region fails, the bank cannot answer, “The ESA was looking at them.”
That answer has the structural integrity of wet cardboard.
The Cloud Market Signal
For large technology vendors, the incentive is obvious. If European financial institutions are important customers, DORA resilience posture becomes part of the product.
The winning vendor pitch will not stop at uptime numbers. It will include mapped service dependencies, evidence packages, incident transparency, change-management discipline, subcontractor visibility, location and jurisdiction controls, and a process for responding to Lead Overseer requests without turning every query into a bespoke fire drill.
This will be expensive. It also favors scale.
Smaller ICT providers may not be designated as critical, but they still sit inside bank DORA programs. If they support important functions, customers will ask harder questions. If they cannot produce evidence, banks will treat them as operational risk with a logo.
For hyperscalers and major financial-technology providers, the shift is different. DORA can formalize what already existed informally: their systems are part of Europe’s financial operating layer. That is commercially valuable. It is also supervisory exposure.
The cross-border angle is already visible. In January 2026, the ESAs and UK financial regulators signed a memorandum of understanding on oversight of critical ICT third-party providers under DORA. The point is coordination across jurisdictions where the same vendors support both EU and UK finance (EBA, January 14, 2026).
That matters because cloud concentration does not respect regulatory borders. A vendor incident in one market can become a supervisory event in another before the incident bridge has finished roll call.
The Real Compliance Boundary
DORA’s critical-provider regime is a useful correction to an old fiction.
The old fiction was that regulated finance could push enough risk into contracts and audits to make technology dependence manageable at firm level. That works for ordinary outsourcing. It does not fully work when the same providers host, secure, connect or process critical functions across large parts of the market.
The new model is messier but more honest. Banks remain accountable for their own resilience. Vendors that become systemically important to finance face direct oversight. Supervisors get more visibility into common failure points. No one gets to pretend the perimeter stops at the bank firewall.
This is not a war on cloud. It is the opposite. Europe is making cloud and ICT dependence governable enough that financial institutions can keep using it.
That is the practical DORA bargain. Technology vendors get deeper access to regulated finance. In return, the most critical ones become part of the supervisory map.
The map is no longer theoretical.
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.