DORA Oversight and CTPP Status: What Kyndryl’s designation means for banks

DORA Oversight of Critical ICT Providers: What Kyndryl’s CTPP Designation Means for Banks

News |
Share

DORA introduces direct regulatory oversight for critical ICT service providers supporting the financial sector. Kyndryl’s designation as a CTPP brings additional transparency to the governance of essential technology services used by banks.

In November 2025, the European Supervisory Authorities (EBA, EIOPA and ESMA) published the official list of Critical ICT Third-Party Providers (CTPPs) under the Digital Operational Resilience Act (DORA). Kyndryl, representing its global operations and subsidiaries, was designated as a CTPP and is therefore subject to direct regulatory oversight by European authorities.

For banks and other regulated financial institutions, the designation is relevant primarily from a governance and vendor oversight perspective. It introduces a formal supervisory framework for critical technology providers, adding another structured layer of transparency to the financial services ecosystem.

According to Samlink’s CISO Christian Eichin, the designation reflects the critical role that large infrastructure providers play in financial services, and that this role is now formally recognised within the regulatory framework.

“It is an acknowledgement that we are among a group of prominent providers delivering critical services to financial institutions. With that recognition comes authority-driven oversight,” Christian says.

He also notes that Kyndryl was designated alongside a limited number of globally significant technology providers, based on criteria such as systemic importance and the criticality of services delivered to financial entities.

What the CTPP Designation Means in Practice

The primary impact of the designation is that European supervisory authorities will conduct direct oversight engagements to assess whether Kyndryl maintains robust risk management, governance and operational resilience practices.

This includes supervisory activities such as monitoring, inspections, and formal requests for information and evidence.

The objective is to mitigate systemic ICT risks that could affect the stability of the EU financial sector.

From a banking perspective, this introduces an additional regulatory assurance mechanism at provider level, complementing existing contractual governance, audits and vendor risk management processes.

“There will be regular monitoring, inspections and requests for information. It is a structured, evidence-based oversight model similar in principle to what banks already operate under,” Christian explains.

What the Designation Does Not Change

A key clarification for financial institutions is that the CTPP designation does not modify existing contracts, nor does it create new contractual rights or obligations between banks and Kyndryl. This is also explicitly stated in Kyndryl’s official notification to financial entities.

Equally important, the designation does not change banks’ own responsibilities under DORA.

“These are two different regulatory worlds. Banks remain fully responsible for their own DORA compliance. Oversight of Kyndryl applies to us as a service provider and does not replace customer governance or regulatory accountability,” Christian notes.

Financial institutions must therefore continue to manage their own ICT risk, vendor oversight and regulatory compliance according to their supervisory requirements and internal control frameworks.

Supporting Transparency Across the Service Ecosystem

While the oversight applies to Kyndryl as a provider, Eichin sees potential long-term benefits in terms of transparency and evidence-based assurance for customers.

Regulatory oversight produces validated information on governance and resilience practices, which can, where appropriate, be reflected in existing customer reporting and assurance discussions.

“There will be authority-validated evidence that certain controls are in place. Over time, this can support more transparent and fact-based discussions with customers about operational resilience,” Christian says.

Samlink views the designation as reinforcing disciplined governance across the service ecosystem. Formal oversight strengthens confidence in operational practices and supports predictability in long-term service delivery.

“Strong governance benefits both service providers and the financial institutions that depend on them. Ultimately, this is about operational trust and predictability,” Christian concludes.

Read also: How Kyndryl is helping protect the financial services industry in the EU