On 18 November 2025 the three European Supervisory Authorities — the EBA, EIOPA and ESMA — published the first operative list of designated critical ICT third-party providers under the Digital Operational Resilience Act. Nineteen names made it onto the list. Two of them — Deutsche Telekom AG and SAP SE — are German. The rest is a roll-call of the firms that German banks already cannot run without: AWS, Microsoft, Google Cloud, Oracle, IBM, Equinix, the colocation operator InterXion, plus banking-services suppliers like FIS, LSEG Data and Risk, Bloomberg, and the large integrators Accenture, Capgemini, Kyndryl, NTT Data and Tata Consultancy Services.
The list itself is the part that will be re-printed in the trade press for the next month. It is not the structural news. The structural news is that for the first time, German banks have a supervisor sitting above BaFin on the ICT-risk question, and BaFin does not get to direct it.
Under DORA, the bank’s own ICT risk management — its governance, incident reporting, testing programme, contractual hygiene with vendors — remains with the national competent authority. For a German bank that means BaFin under Articles 5 to 14 of the Regulation, with Bundesbank running the operational supervision in parallel under the existing bank-supervision division of labour. None of that has moved.
What has moved is the layer above the bank. DORA’s Chapter V created a direct EU oversight regime for the critical third parties themselves — not via the financial entity that consumes their services, but on the provider as a regulated object in its own right. Each designated CTPP is assigned a “Lead Overseer” — the EBA for banking-skewed providers like AWS, Microsoft, SAP and the integrators; ESMA for the capital-markets-skewed names like LSEG Data and Risk; EIOPA for the insurance-specific layer. The Joint Oversight Committee coordinates across the three.
The practical asymmetry runs like this. A large German universal bank with critical Azure exposure now sits under two ICT supervisors at once. BaFin will continue to audit how the bank manages its Azure dependency: contracts, exit plans, concentration tolerance, incident channels. The EBA, as Microsoft’s Lead Overseer, will examine Azure itself — its risk management framework, its governance, its resilience controls — and can issue recommendations directly to the provider. BaFin cannot tell the EBA what to look at. The EBA cannot tell BaFin to stop. The two supervisors share the same factual dependency but pull on different levers, on different cadences, with different remedies.
This is what “cooperation, not command” looks like in supervisory architecture. The ESAs’ designation framework explicitly says the work was carried out “in cooperation with the Competent Authorities” — but cooperation here is a coordination duty, not a chain of command. There is no clause that lets BaFin override an EBA oversight finding on a CTPP, and no clause that lets the EBA tell BaFin how to run a bank-side audit.
Two of the 19 designated CTPPs are headquartered in Germany. Deutsche Telekom AG sits on the list as an infrastructure and network provider, and SAP SE sits on it as a core enterprise-systems supplier whose footprint inside German bank back offices is hard to overstate. That alone gives BaFin a more domestic stake in CTPP oversight than most other NCAs, because the supervisor of the bank and the supervisor of the provider are no longer separated by geography for these names.
The hyperscaler picture is also more concentrated on the German side than the EU average. BaFin has spent the last reporting cycle flagging US-hyperscaler concentration in German bank ICT stacks as a watch item, and the March 2026 Register of Information submissions are being read by BaFin staff with exactly that lens. The fact that AWS EMEA, Microsoft Ireland Operations and Google Cloud EMEA all sit on the CTPP list confirms what BaFin already saw in last year’s data — and tees up the EBA’s first round of direct oversight examinations on precisely the providers German banks depend on most.
The Information Register submission window for the 2026 cycle ran from 9 to 30 March. German financial entities filed through BaFin’s MVP reporting platform, either as an xBRL-CSV package compliant with the ESA taxonomy or via the BaFin-provided Excel template; BaFin then forwards the registers to Bundesbank and onward to the ESAs by the 31 March consolidation deadline.
The 2025 round was, in practice, a pilot — the data was patchy, the templates were unstable, and BaFin’s public posture was tolerant. The 2026 round is the first cycle that closes with a stable taxonomy, a designated CTPP list to map dependencies against, and a supervisor pair (BaFin and the EBA) reading the data with enforcement intent. BaFin has already signalled that completeness, consistency and auditability will be the assessed dimensions, with US-hyperscaler dependency mapping as the headline focus area.
Three things change in operational terms between the 2025 and 2026 cycles. First, the CTPP designations themselves are now operative — meaning oversight examinations, on-site or remote, can begin against named providers rather than against a notional list. Second, the annual oversight-fee architecture is live: each designated CTPP must pay fees to its Lead Overseer and designate an EU coordination entity, which formalises the supervisory relationship in a way 2025 did not. Third, recommendations issued by the ESAs to a CTPP carry weight that did not exist in the prior cycle — financial entities relying on a CTPP that does not act on an ESA recommendation must, under DORA, reflect that fact in their own risk management.
What 2026 does not bring is a fines architecture aimed at CTPPs that mirrors the prudential side. Enforcement against CTPPs runs through the Lead Overseer’s recommendation and engagement powers, and indirectly through the consuming financial entity’s supervisor — meaning BaFin still ends up being the practical pressure point on a German bank that fails to act on an ESA finding against, say, SAP.
The next dated reference points for German banks are the ESAs’ annual oversight reports on the CTPP regime — the first of which is expected later in 2026 — and any BaFin spotlight publication that maps domestic concentration against the now-designated list. The DORA-CTPP regime has moved from theory to live supervision over a single cycle. The supervisory architecture above the German bank is now permanently more crowded than it was a year ago, and the bank does not get to pick which supervisor it answers to first.
Primary sources
Verification status against framing checklist