• Survey suggests financial firms use a wide range of ICT providers…
  • …but rely on a relatively small group to support their most important functions
  • Financial firms will need to record information about their ICT contracts under DORA

The European Supervisory Authorities (ESAs) have shared high level analysis about how providers of ICT services support financial entities in the EU ahead of the introduction of the Digital Operational Resilience Act (DORA) in January 2025.

State of the (EU) nations

According to the ESAs' analysis:

  • As many as 20,000 ICT providers may serve, either directly or indirectly via supply chains, the 1,600 firms surveyed by the ESAs.
  • Most ICT providers serve a small number of firms but some of these firms may play a significant role in the EU’s financial system.
  • There is a relatively concentrated group of ICT providers that provide critical services to most firms in the sample.
  • The most popular ICT providers tend to support firms’ critical or important functions.
  • These ICT services are often non-substitutable, which underlines concerns about concentration risks in the sector.

Survey of financial firms

The ESAs’ report is important context for DORA. DORA requires firms to record data about the ICT services they use on a register – at a sub-consolidated and consolidated level. It also creates a supervisory regime for ICT third party service providers that are deemed to be “critical” to the EU’s financial system – irrespective of whether the provider is based in the EU already, or not.

The analysis is based on a 2022 survey carried out by the ESAs and national regulators. It uses a sample of firms from across the EU but is not necessarily statistically representative. The survey focuses on concentration risk and substitutability.

The output of the survey underscores the complexities that firms will need to manage when implementing DORA. For example, the ESAs note the importance for firms to collect unique identifiers for their ICT providers and for firms to develop a consistent taxonomy of ICT services.


Earlier this year the ESAs sought feedback on the criteria for assessing whether an ICT provider is “critical”. They have also consulted on a first batch of Level 2 standards under DORA. This includes technical standards on the register of information that firms will have to maintain recording their contractual arrangements with third parties on the use of ICT services.