DORA first oversight cycle — 19 designated CTPPs under Joint Examination Team activity

The ESAs (EBA, EIOPA, ESMA) designated 19 critical ICT third-party providers (CTPPs) in November 2025; the first complete DORA oversight cycle is underway in 2026. Joint Examination Teams (JETs) established in Q1 2026 are conducting initial examination activities that may result in recommendations and follow-ups. Financial-sector entities using the 19 designated CTPPs are now subject to enhanced regulatory scrutiny of contractual ICT arrangements, subcontracting chains, and incident-reporting flows under DORA Articles 26–44. The designated CTPPs are themselves subject to direct ESA oversight including required cooperation with JET examinations and expected to demonstrate ICT risk-management governance, resilience testing (TLPT for critical-function systems), and supply-chain transparency. Swiss financial institutions supervised by FINMA that use EU-designated CTPPs should confirm their contractual arrangements comply with DORA Chapter V (ICT third-party risk management) as enforced via EU subsidiaries (ESMA press release; PwC Legal).