FinWiki
EN

DORA CTPP Third-Party Risk · Indirectly Bringing AWS/Anchorage under Financial Regulation

Confidence: Likely Updated 2026-05-26 Review by 2026-09-22 Sources 5 Machine-translated Original (JA)
#fintech#law#regulation#eu#dora#ctpp
On this page

Wiki route

This entry sits under fintech index. Read it with Japan Financial Regulation — Legal Framework for Tokens, Crypto Assets, and Payments for adjacent context and Three-Layer Structure of Japan's Stablecoin Regulatory Regime (JPYC, USDC, Project Pax) for the broader system boundary.

[!info] TL;DR The Critical Third-Party Provider (CTPP) mechanism under DORA Art. 28–44 is the EU’s legal tool for “indirectly bringing” cloud / Anchorage / Coinbase Custody and other stablecoin critical infrastructure under supervisory oversight. Every EU stablecoin issuer / CASP / custodian is required to comply with a dual-compliance regime (MiCA + DORA). The first CTPP list in 2026–Q2 is expected to include AWS / Azure / GCP / Anchorage / Coinbase Custody / Chainalysis / TRM Labs / Fireblocks / Circle Europe.

Key facts

  • ESAs’ CTPP assessment criteria: systemic importance + dependency + substitutability + identified risks
  • CTPP oversight fee: €500K (medium-scale) to €5M (large-scale cloud)
  • Mandatory establishment of an EU legal entity or EU representative
  • ESAs can compel financial entities to terminate contracts
  • On-site inspections + remote audit rights
  • AWS / Azure / GCP expected to be automatically designated in 2026–Q2 ^[likely]
  • Anchorage / Coinbase Custody / Fireblocks / Chainalysis / TRM Labs on the expected list ^[likely]
  • Circle Europe has a dual status: EMT issuer + potential CTPP ^[likely]

Mechanism / How it works

ESAs assessment process (DORA Art. 31):

  • Quantification of systemic importance + financial entity dependency + substitutability + identified risks
  • After entry onto the CTPP list: direct supervision by EBA / ESMA / EIOPA lead overseer
  • Mandatory establishment of an EU legal entity or EU representative
  • Annual oversight fee €0.5M–€5M
  • On-site inspections + remote audit rights
  • ESAs can compel financial entities to terminate contracts

Actual impact chain: Circle Europe (MiCA EMT) must simultaneously comply with DORA → its AWS supplier automatically becomes a CTPP → AWS must establish an EU legal entity and submit to ESAs supervision → BUIDL on Solana reaching EU customers → BlackRock Europe + Solana validators are also affected.

Origin & evolution

The CTPP concept traces back to concerns about cloud concentration in European banking during 2018–2021 (AWS accounting for 40%+ of EU financial cloud). EBA 2017 Recommendations on outsourcing to cloud service providers was the initial attempt. DORA’s passage in 2022 elevated CTPP from soft guidance to hard regulation. 2024–07 ESAs Level 2 RTS clarified quantitative criteria. The first “non-financial tech company brought under financial regulation”: AWS / Azure / GCP automatically designated as CTTPs → direct ESAs supervision = reinforcing EU digital sovereignty cloud requirements (Gaia-X / EuroStack) and triggering an onshore data-centre construction boom. Together with EU MiCA CASP (Crypto-Asset Service Provider) regime, this constitutes the EU’s “business + resilience” dual-track crypto-asset supervision.

Sources