When the European Supervisory Authorities (ESMA, EBA and EIOPA) published the first list of Critical ICT Third-Party Providers (CTPPs) in November 2025, the step marked a major milestone in the rollout of the Digital Operational Resilience Act (DORA). The regulators described the designations as “crucial” to implementing the Union-level oversight framework.
Yet despite the significance of the moment, the release generated relatively limited fanfare. This muted reception stands in contrast to the wider operational-resilience story unfolding across capital markets and treasury. Over the past eighteen months, some of the most disruptive incidents affecting banks, brokers and trading infrastructure have involved providers not included in the first CTPP list. At the same time, several high-share infrastructure and data suppliers that play central roles in post-trade processing, cross-border payments, valuations and trading remain outside the initial supervisory scope. Against that backdrop, the publication of the list may prove to be only one part of a broader conversation about systemic dependencies in financial-market technology.
A milestone with a light footprint
The CTPP designations reflect the methodology set out in DORA: the ESAs used registers of contractual arrangements submitted by financial entities, conducted a criticality assessment with national competent authorities, and offered each candidate provider the opportunity to respond before finalising the list. The resulting nineteen companies include cloud platforms, infrastructure operators, telecoms providers, consulting firms and market-data services. They span entities such as Amazon Web Services, Google Cloud, Microsoft Ireland, IBM, Equinix, Bloomberg and LSEG Data & Risk.
For capital-markets institutions, the list primarily confirms expectations. The named firms are widely used, broadly global and already subject to intense supervisory interest in areas such as cloud concentration, operational risk and data governance. Technical alerts focus on the implications for contractual documentation, incident reporting and oversight coordination, but few characterise the list itself as a market-moving development.
The more telling story: disruptive incidents from non-listed providers
What stands out, however, is the contrast between the designated landscape and the operational incidents that have most affected capital-markets workflows in the period leading up to the list’s publication. Notably, firms outside the CTPP perimeter have been at the centre of several globally significant disruptions.
The most high-profile case remains the CrowdStrike Falcon update outage of 19 July 2024, which triggered mass Windows system crashes across a wide range of industries. Public reporting from July 2024 documented widespread operational impact at banks, brokers, exchanges and payment processors. Technology and financial-news outlets described it as one of the most extensive IT disruptions in recent years, with service interruptions reported in multiple jurisdictions and across several layers of the financial ecosystem. The outage highlighted the degree of reliance financial institutions have on endpoint-security updates delivered at scale – a dependency that, while not traditionally classified as financial-market infrastructure, clearly intersects with service availability in capital markets.
More recently, Cloudflare, another firm absent from the initial CTPP list, experienced two high-visibility outages within three weeks. On 18 November 2025, a faulty configuration change in its Bot Management system led to a multi-hour global disruption across core content-delivery and security services. Public analysis estimated that services used by billions of end-users were affected, and industry reporting highlighted downtime at multiple online brokers and trading platforms. In early December, a second, shorter outage affected approximately a quarter of Cloudflare’s HTTP traffic, again prompting temporary access failures for several major online services, including crypto-trading venues.
For capital-markets participants, these incidents exposed the degree to which trading venues, brokers and treasury platforms depend on Internet-scale delivery and security services, even when these providers do not currently fall into ESA’s definitions of “critical infrastructure.”
Concentration risk beyond the supervisory perimeter
A second category of non-listed firms deserves attention: providers with documented, high market share in functions central to capital markets. These companies may not have been designated in the first iteration of the CTPP list but represent essential infrastructure for trading, payments, valuations and reporting – and, importantly, have spent more than two decades building resilience frameworks shaped by the operational lessons of 11 September 2001.
DTCC, for example, states publicly that its Global Trade Repository processes an estimated 80% of derivatives transactions globally, and its regulatory-reporting platform is used by more than seventy major institutions. After 9/11, when DTCC’s headquarters in lower Manhattan were within the immediate impact zone but its clearance and settlement systems continued operating from alternate sites, the organisation expanded its geographically dispersed data-centre model and strengthened end-to-end business-continuity, replication and failover capabilities.
SWIFT, meanwhile, remains the dominant network for cross-border payments and securities messaging, reporting coverage of institutions in 92% of all countries and a high proportion of direct payment flows. Following 9/11, SWIFT reinforced its multi-region operations model, emphasising redundancy, diverse routing and real-time replication across its European and US operating centres. These measures, publicly detailed in SWIFT’s operational-resilience communications over the years, were designed to ensure continuity of global payment and securities-settlement traffic under extreme conditions. Treasury desks, settlement operations and custody networks rely on this level of engineered redundancy every day.
Taken together, these examples underline a key point: the structure of operational interdependencies in capital markets does not align neatly with the current CTPP perimeter. Market share, adoption levels and the potential financial impact of a service disruption remain concentrated in several entities that have long operated as de facto systemic infrastructure – often outside the scope of formal supervisory designation but supported by resilience frameworks shaped by the most consequential market-wide disruption in recent history.
A broader resilience conversation ahead
None of this diminishes the significance of the ESAs’ designations. The publication of the first CTPP list establishes the EU’s formal supervisory perimeter, sets out a clear framework for oversight, and begins the process of engaging with designated providers through information requests, examinations and resilience assessments. For capital-markets and treasury leaders, operational-resilience planning will increasingly require two forms of visibility: the ability to meet regulatory expectations for designated providers, and a complementary understanding of the broader ecosystem of ICT services on which trading, settlement, risk and reporting functions depend.
Subscribe to our newsletter
