The EU’s Digital Operational Resilience Act (DORA) put financial regulators directly over the cloud giants for the first time in 2026 — designating Amazon, Microsoft and Google as critical providers and opening a supervision cycle that the UK mirrors through a separate regime and the US still leaves to guidance, splitting how three markets police the technology the whole system runs on.

On November 18, 2025 the European Supervisory Authorities (ESAs) designated the first 19 Critical ICT Third-Party Providers (CTPPs) under Article 31 of DORA, and 2026 is the year that designation bites: the Joint Oversight Network will issue binding recommendations, and the European Banking Authority (EBA), European Securities and Markets Authority (ESMA) and European Insurance and Occupational Pensions Authority (EIOPA) begin direct inspections of providers including Amazon Web Services, Microsoft and Google Cloud. DORA applied from January 17, 2025; the UK runs a broader operational-resilience regime on a separate timetable; the US relies on sectoral guidance. This analysis maps the three frameworks, the enforcement that backstops them, and what it means for firms and their vendors.

Key Facts:

• The ESAs designated 19 Critical ICT Third-Party Providers under Article 31(9) of DORA on November 18, 2025 — EBA/ESMA/EIOPA
• Designees include Amazon Web Services EMEA, Microsoft Ireland, Google Cloud EMEA, IBM, Accenture, Bloomberg, LSEG Data & Risk and FIS — ESAs
• More than 65% of EU financial entities rely on at least two of AWS, Azure and Google Cloud for critical functions — regulatory concentration data
• Lead overseers can fine a CTPP up to 1% of average daily worldwide turnover, daily for up to six months until compliant — DORA
• The ESAs and UK regulators (Bank of England, PRA, FCA) signed an oversight Memorandum of Understanding on January 14, 2026 — EBA
• Enforcement benchmark: the FCA and PRA fined TSB Bank £48.65 million in December 2022 for operational-resilience failings — Bank of England

Methodology and sources

This analysis rests on primary regulator materials: DORA (Regulation (EU) 2022/2554) and the ESAs’ November 2025 designation of Critical ICT Third-Party Providers under Article 31; the EBA’s January 2026 Memorandum of Understanding (MoU) with the UK authorities; the Bank of England’s 2026 policy statement on operational-incident and third-party reporting; the US interagency third-party risk-management guidance; and the FCA and PRA final notices in the TSB case. The jurisdictional scope is the EU, the UK and the US — the three regimes that set the template for how financial regulators supervise the technology firms depend on. The window is the trailing 18 months to June 2026. One caveat: DORA’s direct oversight of providers is new, so its enforcement record is thin; the cautionary precedent cited, TSB, predates DORA but is the canonical operational-resilience failure the new rules are designed to prevent.

What DORA actually does

DORA is not another cyber checklist; it is a structural answer to concentration risk. Most of the EU’s financial system runs on a handful of cloud and data vendors, and DORA’s drafters concluded that if one of them fails, the disruption is systemic in a way no single bank’s controls can contain. So Article 31 lets the ESAs designate the most systemically important ICT providers as CTPPs and place them under direct EU oversight — the first time European financial regulators have supervised technology vendors rather than only the regulated firms that hire them.

The CTPP regime is the load-bearing innovation in DORA. Once designated, a provider falls under a Lead Overseer — the EBA, ESMA or EIOPA depending on sector — which under Article 35 can request information, conduct investigations, carry out on-site inspections, and issue recommendations on cybersecurity and risk management directly to the provider. The first list, published November 18, 2025, named 19 companies, of which roughly a quarter are generic cloud-infrastructure providers — Amazon Web Services, Microsoft and Google among them — reflecting that more than 65% of EU financial entities rely on at least two of those three for critical functions. The enforcement teeth are real: a Lead Overseer can fine a non-compliant CTPP up to 1% of its average daily worldwide turnover, levied every day for up to six months. That is a penalty calibrated to a hyperscaler’s balance sheet, not a mid-sized vendor’s, and it signals that the EU intends the oversight to be felt.

Jurisdiction / Regulator	Instrument & date	Scope	Third-party oversight	Sanction
EU (ESAs under DORA)	DORA, applied Jan 17, 2025; CTPPs designated Nov 18, 2025	ICT risk only	Direct oversight of designated CTPPs (Article 35)	Up to 1% of daily worldwide turnover, daily to 6 months
UK (FCA / PRA / BoE)	Operational resilience; PS on reporting 2026; rules live Mar 18, 2027	All operational risk, not just ICT	Oversight of Critical Third Parties under SS6/24	Final Notice penalties (e.g., TSB £48.65m)
US (OCC / Fed / FDIC)	Interagency third-party risk guidance, 2023	Third-party risk, principles-based	Supervises banks’ management of vendors, not vendors directly	Civil money penalties via the supervised bank

Sources: DORA and ESA designation; Bank of England and FCA materials; US interagency guidance. Last updated: June 8, 2026.

How three jurisdictions compare

The frameworks converge on the problem and diverge on the method. DORA is the most interventionist: narrow in scope (ICT only) but uniquely willing to regulate the vendor directly. The UK regime is the mirror image — broader, covering operational resilience whatever the cause rather than only digital incidents, but supervising critical third parties through its own authorities under Supervisory Statement SS6/24 rather than ceding power to a pan-EU overseer. The two are close enough that the ESAs and the UK regulators signed a Memorandum of Understanding on January 14, 2026 to coordinate oversight of providers that are critical on both sides of the Channel — a recognition that a designated cloud provider does not respect a border.

The biggest gap is the United States. There is no single US operational-resilience regime; instead, the Office of the Comptroller of the Currency, the Federal Reserve and the FDIC issued interagency third-party risk-management guidance in 2023 that supervises how banks manage their vendors, not the vendors themselves. The practical consequence is regulatory arbitrage in reverse: a hyperscaler faces direct EU oversight, indirect UK oversight, and in the US only the scrutiny that flows through its bank customers. For a global cloud provider, that means three different evidentiary burdens for what is functionally one service — and for a multinational bank, it means proving resilience to a Lead Overseer in Frankfurt, the PRA in London, and an examiner in Washington, each with a different lens. There is also a divergence on testing: DORA mandates threat-led penetration testing for significant entities, while the UK has encouraged intelligence-led testing as good practice rather than requiring it.

“The PRA expects firms to manage their operational resilience as well as their financial resilience. The disruption to continuity of service experienced by TSB during its IT migration fell below the standard we expect banks to meet.”

— Sam Woods, Deputy Governor for Prudential Regulation and Chief Executive, Prudential Regulation Authority (Bank of England)

Enforcement context: why the rules exist

The case that hangs over every operational-resilience regime is TSB. In December 2022 the FCA and PRA fined TSB Bank a combined £48.65 million — £29.75 million from the FCA and £18.9 million from the PRA — for operational risk-management and governance failures, including the management of outsourcing risk, relating to a 2018 IT migration that locked roughly 1.9 million customers out of their accounts for days. The regulators did not allege bad faith; they found that a botched technology change at a single bank produced widespread consumer harm, and that the firm’s controls and board oversight were not equal to the risk. That is precisely the failure mode DORA and the UK regime are built to pre-empt — and the UK underlined the point in April 2023 when the PRA separately fined TSB’s former Chief Information Officer, establishing that operational-resilience accountability reaches named individuals, not just the institution.

The TSB penalty is the benchmark because it quantifies what a resilience failure costs before any DORA fine has landed. It also illustrates the gap the new rules close: TSB’s disruption originated in a migration the bank ran with outsourced providers, yet in 2018 the regulators could only sanction the bank, not the vendors. Under DORA, a comparable failure traced to a designated CTPP could now draw direct supervisory action against the provider itself — the structural shift the regime is designed to deliver. It is the same widening of the regulatory perimeter visible across European supervision, from EMIR 3.0’s reach over euro clearing to AMLA’s single AML rulebook.

What this means for banks, vendors and compliance teams

For financial entities, DORA turns third-party governance from a procurement formality into a supervised obligation. Firms must maintain a complete Register of Information on their ICT contracts — the dataset the ESAs used to identify CTPPs — and the quality of that register is itself now a supervisory focus as competent authorities move from implementation to examination in 2026. Exit planning, multi-provider architectures and concentration analysis become board-level deliverables, not slideware. For the designated providers — the hyperscalers and data vendors — the change is more fundamental: they are now directly accountable to a financial regulator for the first time, must engage with Lead Overseer information requests and inspections, and face the prospect of binding recommendations that could reshape service-level terms and contracts across their entire EU financial client base.

For compliance and legal teams operating across borders, the task is a control map that satisfies three regimes at once: DORA’s ICT-specific, vendor-facing rules in the EU; the UK’s broader, firm-facing operational-resilience regime under SS6/24, with reporting rules finalised in 2026 and the substantive obligations live from March 18, 2027; and the US’s principles-based third-party guidance. The seams between them — different scopes, different testing mandates, different points of supervision — are where multinational firms will spend their budget. The same three-way divergence runs through adjacent files, from Basel’s capital rules to the EU-UK-US split on payment for order flow.

“The failings in this case were widespread and serious which had a real impact on the day-to-day lives of a significant proportion of TSB’s customers, including those who were vulnerable.”

— Mark Steward, Executive Director of Enforcement and Market Oversight, Financial Conduct Authority (FCA)

What’s next — the forward view

Three threads will define the next 18 months. First, DORA’s oversight moves from designation to action: the Joint Oversight Network is expected to issue binding recommendations to several CTPPs through 2026, and the first inspections of the cloud giants will set the tone — watch whether the ESAs push on contractual terms, exit rights or multi-provider requirements, any of which would ripple across the sector’s cloud arrangements. Second, the UK timetable: with reporting rules finalised in 2026 and the operational-resilience regime fully live on March 18, 2027, expect UK firms to spend the intervening period aligning their EU and UK obligations under the January 2026 MoU. Third, the unresolved question is the United States: as the EU and UK supervise providers directly and a fresh wave of high-profile cloud outages keeps concentration risk in the headlines, pressure will build on US agencies to move beyond guidance toward something closer to direct oversight. The contested frontier is whether three regimes converge on a shared standard for the handful of vendors the entire global financial system now depends on — or whether the gaps between them become the system’s weakest point.

FAQ

What is DORA and when did it take effect?

DORA, the EU’s Digital Operational Resilience Act (Regulation (EU) 2022/2554), is the bloc’s framework for the digital resilience of financial firms. It applied from January 17, 2025 and, uniquely, lets EU regulators directly oversee the most systemically important technology vendors — Critical ICT Third-Party Providers — rather than only the financial entities that use them.

Which companies were designated as Critical ICT Third-Party Providers?

The European Supervisory Authorities named 19 CTPPs on November 18, 2025, including Amazon Web Services, Microsoft, Google Cloud, IBM, Accenture, Bloomberg, LSEG Data & Risk and FIS. Roughly a quarter are generic cloud-infrastructure providers, reflecting that more than 65% of EU financial entities depend on at least two of AWS, Azure and Google Cloud.

How does the UK’s operational-resilience regime differ from DORA?

The UK regime is broader — it covers operational resilience whatever the cause, not just ICT incidents — but supervises critical third parties through the FCA and PRA under SS6/24 rather than a pan-EU overseer. Its reporting rules were finalised in 2026 and the substantive obligations take effect on March 18, 2027. The ESAs and UK regulators signed a coordination MoU in January 2026.

What can regulators do to a non-compliant critical provider under DORA?

A Lead Overseer (the EBA, ESMA or EIOPA) can request information, run investigations, conduct on-site inspections and issue binding recommendations under Article 35. If a designated provider does not comply, it can be fined up to 1% of its average daily worldwide turnover, levied daily for up to six months — a penalty scaled to a hyperscaler.

Why does the TSB fine matter for DORA?

TSB’s £48.65 million FCA and PRA fine in December 2022 is the canonical operational-resilience failure: a botched 2018 IT migration locked roughly 1.9 million customers out of their accounts. It quantifies the cost of getting resilience wrong and shows the old gap DORA closes — in 2018 regulators could only sanction the bank, whereas DORA now reaches the critical vendors behind such failures.

This article is informational analysis only and does not constitute legal, regulatory, tax, or investment advice. Regulatory frameworks change frequently and interpretation depends on facts and circumstances; primary documents and official regulator guidance always supersede summaries. Firms should consult qualified legal counsel and their relevant supervisory authority before taking any action based on the analysis above.