On 18 November 2025 the European Banking Authority, the European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority published the first operative list of designated critical ICT third-party providers under the Digital Operational Resilience Act. The ESA announcement put 19 providers inside direct EU-level oversight. Two of those providers, Deutsche Telekom AG and SAP SE, are German. The rest is a list of firms German banks already cannot run without: AWS, Microsoft, Google Cloud, Oracle, IBM, Equinix, InterXion, financial data providers such as Bloomberg and LSEG Data and Risk, and large integrators including Accenture, Capgemini, Kyndryl, NTT Data and Tata Consultancy Services.
The list itself is not the structural news. The structural news is that German banks now have an ICT-risk supervisor above BaFin for the provider layer, and BaFin does not get to direct it.
The two-tier architecture
Under DORA, a bank’s own ICT risk management remains with the national competent authority. For a German bank, that means BaFin for governance, incident reporting, resilience testing, contract discipline and third-party risk management, with the Bundesbank involved through Germany’s established banking-supervision division of labour. The Bundesbank’s DORA reporting page still describes the domestic reporting channel through which German entities submit incident and register information.
What has moved is the layer above the bank. DORA created a direct oversight regime for critical ICT third-party providers themselves, not merely for the financial entities that consume their services. The EBA’s DORA oversight page says the ESAs designate providers as critical and act as Lead Overseers, coordinating oversight across the Union.
The practical asymmetry is simple. A large German universal bank with critical Microsoft exposure now sits under two ICT supervisory views at once. BaFin can examine how the bank manages its Microsoft dependency: contracts, exit plans, concentration tolerance, incident channels and board evidence. The EBA, as Lead Overseer for a banking-skewed provider, can examine the provider itself: its governance, risk framework, resilience controls and remediation response. BaFin cannot tell the EBA what to look at. The EBA cannot tell BaFin to stop examining the bank. Both supervisors look at the same dependency, but they pull different levers.
That is a material change for German compliance teams. Vendor oversight is no longer just a bank-side file that proves the institution asked the right questions. It is becoming a joined supervisory object: the bank’s control evidence on one side, the provider’s direct EU oversight record on the other.
Why Germany has a sharper stake
Germany has domestic exposure on both sides of the new structure. Deutsche Telekom is a national network and infrastructure provider. SAP is a German enterprise-software group whose footprint in bank back offices is hard to overstate. For BaFin, the provider question is not only a foreign-cloud concentration issue. Two designated providers sit inside the German corporate perimeter.
That matters because the DORA register of information forces institutions to map contractual arrangements with ICT third-party service providers in a way supervisors can compare. The Bundesbank page notes that DORA’s register obligations are supplemented by Implementing Regulation (EU) 2024/2956, which sets the standard templates for the register. BaFin’s DORA information-register FAQ describes how the register is used under DORA for supervisory purposes and how provider identifiers are handled.
For a German bank, the map now has two audiences. BaFin can ask whether the bank understands where critical services sit, what exit options exist and whether risk appetite has been approved at the right level. The ESAs can ask whether a designated provider’s own controls are credible enough for a financial system that relies on it. The bank cannot collapse those questions into one annual outsourcing review.
The reporting cycle is the control point
The immediate control point is the register of information. German financial entities submit their DORA information through domestic reporting channels, and that information is passed into the European process. The register is no longer only an inventory. It is the data layer that lets supervisors see concentration, substitution risk and cross-sector dependency.
That changes the kind of defect that matters. An incomplete provider name is not a clerical problem if it prevents a dependency from being matched to a designated critical provider. A missing service classification is not housekeeping if it hides a core banking process. A stale contract record is not a filing weakness if it makes an exit plan look more plausible than it is.
The German supervisory question for 2026 is therefore not whether banks have heard of DORA. They have. The question is whether the bank-side evidence is now precise enough to survive comparison with EU-level provider oversight. A bank that says a cloud service is substitutable may find the provider-level file telling a less comfortable story about concentration. A bank that treats SAP as routine enterprise software may have to explain why a designated critical provider does not receive board-level attention in the outsourcing and operational-resilience file.
What changes for bank boards
The first board-level consequence is that ICT concentration becomes harder to discuss as a procurement issue. DORA already required management bodies to own ICT risk. The CTPP list now gives boards a named external perimeter: not generic cloud risk, but specific providers whose EU oversight status can change the bank’s own remediation burden.
The second consequence is that recommendations to providers can come back to banks indirectly. If a Lead Overseer identifies weaknesses at a provider, the consuming financial institution still has to decide whether continued reliance is acceptable, whether compensating controls are enough and whether exit planning is credible. BaFin remains the practical pressure point on the German bank even when the original finding comes from an ESA review of the provider.
The third consequence is documentation. German institutions will need files that connect the register, contract inventory, board risk appetite, exit planning and operational-resilience testing. The days when those files could live in separate compliance silos are ending. The same dependency now appears in a domestic supervisory file and a European provider-oversight file.
Where the next signal comes from
The next useful signal will not be another explanatory DORA note. It will be evidence of how the ESAs run the first oversight cycle against the named providers, and how BaFin uses German banks’ registers to test concentration and exit assumptions. For German banks, Deutsche Telekom and SAP make the regime more than a foreign-hyperscaler story. The domestic providers are now inside the same EU-level structure as the global cloud groups.
DORA has moved from implementation slogan to supervisory architecture. German banks still answer to BaFin on their own controls. But for the critical ICT layer above them, the supervisor is now European, direct and separate. That is the new compliance problem.
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.