IBM has been named a critical ICT third party provider for Europe’s financial sector, placing the firm under direct EU oversight. The European Supervisory Authorities published the first list of designations on November 18, 2025, calling it “a crucial step in the implementation of the DORA oversight framework,” the press release said.
IBM confirmed the status in a statement late last week. The decision follows months of data collection and criticality assessments led by banking, insurance, and markets regulators across the bloc. Oversight will now move from planning to day to day engagement. It is a significant shift.
Oversight powers and next steps
Under the Digital Operational Resilience Act, the ESAs may request information, conduct on-site inspections, issue recommendations, and impose penalties on critical providers. The framework gives the lead overseer a direct line to the vendor and the ability to test resilience, as described on the European Banking Authority’s DORA page.
Early activities typically include scoping of critical services, governance reviews, and timelines for remediation. Providers can expect structured examinations that focus on incident management, change control, and software supply chain risk. These tools aim to reduce systemic risk from concentrated technology dependencies. The goal is stable services.
For banks, insurers, and market firms, the designation offers a clearer route to supervisory expectations. Contract renewal cycles may need to align with testing windows and corrective action plans.
Exit and portability clauses could face closer review, especially where workloads span multiple clouds or data centres.
Cross-border impact for providers
The decision reaches well beyond the EU. Canadian financial groups with EU operations, and vendors supporting them, may need to adjust service maps and escalation paths. Shared platforms that process payments, trading, or core banking functions will be mapped against critical or important functions under local rules. That mapping drives resilience testing and board reporting. Documentation must be ready.
IBM’s own message signals a cooperative posture. “We look forward to constructive engagement with the European Supervisory Authorities,” IBM said. Market watchers will look for early findings, such as improvements to incident logging or backup recovery times. Those outcomes tend to shape contract language across the sector. Progress will be measured.
The designations also formalize the path set out earlier in 2025, when the ESAs outlined timelines for data collection and criticality assessments. The oversight system now turns to execution. Providers will be expected to demonstrate governance, controls, and plans that work under stress.