DORA CTPP Third-Party Risk · Indirectly Bringing AWS/Anchorage under Financial Regulation
Wiki route
This entry sits under fintech index. Read it with Japan Financial Regulation — Legal Framework for Tokens, Crypto Assets, and Payments for adjacent context and Three-Layer Structure of Japan's Stablecoin Regulatory Regime (JPYC, USDC, Project Pax) for the broader system boundary.
[!info] TL;DR The Critical Third-Party Provider (CTPP) mechanism under DORA Art. 28–44 is the EU’s legal tool for “indirectly bringing” cloud / Anchorage / Coinbase Custody and other stablecoin critical infrastructure under supervisory oversight. Every EU stablecoin issuer / CASP / custodian is required to comply with a dual-compliance regime (MiCA + DORA). The first CTPP list in 2026–Q2 is expected to include AWS / Azure / GCP / Anchorage / Coinbase Custody / Chainalysis / TRM Labs / Fireblocks / Circle Europe.
Key facts
- ESAs’ CTPP assessment criteria: systemic importance + dependency + substitutability + identified risks •
- CTPP oversight fee: €500K (medium-scale) to €5M (large-scale cloud) •
- Mandatory establishment of an EU legal entity or EU representative •
- ESAs can compel financial entities to terminate contracts •
- On-site inspections + remote audit rights •
- AWS / Azure / GCP expected to be automatically designated in 2026–Q2 •
- Anchorage / Coinbase Custody / Fireblocks / Chainalysis / TRM Labs on the expected list •
- Circle Europe has a dual status: EMT issuer + potential CTPP •
Mechanism / How it works
ESAs assessment process (DORA Art. 31):
- Quantification of systemic importance + financial entity dependency + substitutability + identified risks
- After entry onto the CTPP list: direct supervision by EBA / ESMA / EIOPA lead overseer
- Mandatory establishment of an EU legal entity or EU representative
- Annual oversight fee €0.5M–€5M
- On-site inspections + remote audit rights
- ESAs can compel financial entities to terminate contracts
Actual impact chain: Circle Europe (MiCA EMT) must simultaneously comply with DORA → its AWS supplier automatically becomes a CTPP → AWS must establish an EU legal entity and submit to ESAs supervision → BUIDL on Solana reaching EU customers → BlackRock Europe + Solana validators are also affected.
Origin & evolution
The CTPP concept traces back to concerns about cloud concentration in European banking during 2018–2021 (AWS accounting for 40%+ of EU financial cloud). EBA 2017 Recommendations on outsourcing to cloud service providers was the initial attempt. DORA’s passage in 2022 elevated CTPP from soft guidance to hard regulation. 2024–07 ESAs Level 2 RTS clarified quantitative criteria. The first “non-financial tech company brought under financial regulation”: AWS / Azure / GCP automatically designated as CTTPs → direct ESAs supervision = reinforcing EU digital sovereignty cloud requirements (Gaia-X / EuroStack) and triggering an onshore data-centre construction boom. Together with EU MiCA CASP (Crypto-Asset Service Provider) regime, this constitutes the EU’s “business + resilience” dual-track crypto-asset supervision.
Related
- Wiki Index
- DORA · EU Digital Operational Resilience Act Overview
- Deep dive into MiCA EMT vs ART sub-classification · Product shaping based on regulatory burden
- OCC trust bank charter
- GENIUS Act §501
Sources
Discovery
Keep reading
Read next
- Dual-currency arbitrage · the §501 legal hack and regulatory fragility This entry sits under fintech index. Read it with 日本金融規制 — トークン・暗号資産・決済に関する法体系 for adjacent context and 日本 Stablecoin 法制度の三層構造(JPYC・USDC・Project Pax) for the broader system boundary. fintech/dual-currency-stablecoin-arbitrage-legal-hack
- Dual-currency stablecoin arbitrage · the only legal on-chain FX path in the §501 era This entry sits under fintech index. Read it with 日本金融規制 — トークン・暗号資産・決済に関する法体系 for adjacent context and 日本 Stablecoin 法制度の三層構造(JPYC・USDC・Project Pax) for the broader system boundary. fintech/dual-currency-stablecoin-arbitrage-overview
- Digital euro retail rollout — Preparation Phase 2023-2026, anti-disintermediation design, e-krona pause comparison This entry sits under fintech index as the per-jurisdiction deep dive on the ECB digital euro for the 2026 Preparation-Phase snapshot. It pairs with CBDC adoption curve 2026 for the four-cou... fintech/e-euro-retail-rollout
Links here
- DORA · EU Digital Operational Resilience Act Overview This entry sits under fintech index. Read it with 日本金融規制 — トークン・暗号資産・決済に関する法体系 for adjacent context and 日本 Stablecoin 法制度の三層構造(JPYC・USDC・Project Pax) for the broader system boundary. fintech/dora-eu-digital-operational-resilience-overview
- EU MiCA implementation status 2026-05 · EMT/ART license diagram × USDT withdrawal × USDC market share reconstruction EU MiCA (Markets in Crypto-Assets Regulation, Regulation (EU) 2023/1114) has entered a 18 -month steady implementation state after 2024-06 SC (EMT/ART) partial implementation and 2024-12 ful... fintech/eu-mica-implementation-status-2026