Is Microsoft officially a critical ICT third-party provider under DORA?

Yes. On 18 November 2025 the European Supervisory Authorities (EBA, EIOPA and ESMA – together the ESAs) published the first official list of Critical ICT Third-Party Providers (CTPPs). Microsoft Ireland Operations Limited is one of 19 designated providers and has been subject to direct ESA oversight since early 2026. Operational supervision via Joint Examination Teams (JETs) started in 2026.

What is BaFin's deadline for the DORA register of information?

German financial institutions had to submit their first DORA register of information to BaFin between 9 and 30 March 2026. It lists every ICT third-party provider, including cloud, SaaS, data centre and managed-security partners – together with criticality, data location and the sub-processor chain. Anyone using Microsoft 365 or Azure has a direct CTPP link recorded in that register.

How is DORA Article 28 different from a normal cloud contract?

Article 28 requires a contractually fixed and regularly tested exit strategy for every critical ICT service. Describing an exit on paper is not enough. Required are documented data portability, a migration plan to an alternative provider or on-premise, tested recovery timelines and a transition phase without service interruption. A Microsoft-only exit playbook only partly satisfies that requirement, because it presupposes Microsoft as the single starting point.

Is the Microsoft concentration-risk framework from February 2026 enough for the regulators?

No, it is a building block, not a substitute. Microsoft's six-step framework provides data portability formats, export time estimates and migration paths to AWS, GCP or on-premise. BaFin still requires an institution-specific concentration-risk assessment, a demonstrably tested exit exercise and a sub-processor chain analysis. The Microsoft document supplies the material, it does not replace the proof you must produce yourself.

How does DORA relate to the CLOUD Act, NIS2 and BSI IT-Grundschutz?

DORA is sector-specific (finance), the others are cross-sector. A bank running Microsoft 365 has to serve four regimes in parallel – GDPR/Schrems, NIS2 (for KRITIS-relevant areas), BSI IT-Grundschutz or C5, and DORA. The risk analyses overlap heavily, the documentation duties overlap as well. Moving to European hosting early reduces the four-regime burden in one move.

DORA & Financial Sector·Jun 2, 2026

DORA, CTPP Designation and Microsoft 365 – Why Banks Need a Tested Exit Strategy in 2026

Since late 2025, Microsoft is an officially designated critical ICT third-party provider under DORA. What that means for BaFin, the ESAs and your concentration-risk file.

europioneer Team

DORA, CTPP Designation and Microsoft 365 – Why Banks Need a Tested Exit Strategy in 2026

On 18 November 2025 the European Supervisory Authorities EBA, EIOPA and ESMA published the first official list of Critical ICT Third-Party Providers under the Digital Operational Resilience Act (DORA). There are 19 providers on that list, Microsoft Ireland Operations Limited among them. Operational ESA supervision over those CTPPs began in early 2026 – with dedicated Joint Examination Teams and a Lead Overseer per provider. On 2 February 2026 Microsoft responded with its own concentration-risk and exit-strategy framework. From that point onwards, any German bank, insurance company, payment service provider or investment firm has a concrete regulatory problem if Microsoft 365 or Azure does not show up in an active exit plan.

We break down what has changed since the CTPP designation, what BaFin concretely audits in the DORA register of information, and what an exit plan looks like that survives an ESA examination in the current year. For the European sovereignty backdrop, see our analysis of the Eurostack concept and of the CLOUD Act exposure of German Microsoft tenants.

What DORA has been demanding since early 2026 – short and concrete

DORA has been binding across the EU since 17 January 2025. It addresses roughly 22,000 European financial entities – banks, insurance companies, investment firms, asset managers, payment service providers, crypto custodians, trading venues and ICT third-party providers with critical functions.

Four pillars are now supervisory-relevant:

ICT risk management – governance, asset inventory, protection and detection measures, business continuity planning.
Incident reporting – classification and reporting of major ICT incidents within hours.
Resilience testing – including Threat-Led Penetration Testing (TLPT) for significant institutions.
ICT third-party risk – Articles 28 ff., the heart of the CTPP designation. Contractual obligations, exit strategy, regular testing.

The BaFin deadline for the first DORA register of information ran from 9 to 30 March 2026. Anyone who failed to file – or filed an incomplete register – is already in the second stage: follow-up, deadline, order. For the interplay with NIS2 and GDPR see the NIS2 / GDPR Microsoft paradox.

What Microsoft's CTPP designation actually changes

The ESA designation has three direct consequences for every Microsoft customer institution in Germany:

Direct supervision: From 2026 onwards Microsoft is supervised by roughly 30 ESA supervisors. A Lead Overseer is appointed, and a Joint Examination Team can request information and run on-site inspections at any time.
Higher documentation duty on the customer side: The bank does not only have to list its Microsoft footprint, it must also quantify the concentration risk – prove how critical the dependency is and which alternatives exist.
Sub-processor pass-through: Microsoft has to disclose its sub-processor chain to the ESAs. Customer banks then carry that chain into their own DORA register – Akamai, CDN providers, regional sub-operators included. The same dynamic as in the Copilot Flex Routing discussion, only now formally enforceable.

Important: a CTPP designation does not mean Microsoft is automatically DORA-compliant. It means Microsoft is directly supervised. The customer responsibility remains: every bank still has to maintain its own Article 28 exit strategy – Microsoft cannot deliver that on the bank's behalf.

Microsoft's concentration-risk framework – helpful, but not a free pass

On 2 February 2026 Microsoft published a six-step resilience framework containing:

Data portability formats for Azure services (blob, SQL, Active Directory, analytics)
Estimated export times by data volume
Migration playbooks to AWS, GCP or on-premise
Templates for cloud risk governance

That is real progress. From a supervisory perspective it does not replace three things:

The institution's own concentration-risk assessment – the ESAs require the entity, not the vendor, as the author.
The tested exit exercise – Microsoft can describe paths, but cannot run the drill in the bank's name.
The choice of a real alternative – moving from Microsoft to AWS or GCP does not solve the concentration risk, because all three are subject to the CLOUD Act. DORA asks for resilience, not for US-hyperscaler diversification.

For a German bank that needs an ESA-auditable exit strategy, a European sovereign replacement stack is therefore unavoidable. Architecture and components at /en/alternativen.

The Article 28 exit strategy – HowTo

The six steps below are encoded in this post's structured HowTo schema (for Google Rich Results). Summary:

Step 1: Identify the Microsoft footprint {#step-1}

Mark every Microsoft contract in the DORA register. Microsoft 365, Azure, Entra ID, Dynamics, Power Platform, Defender. Classify criticality by business process.

Step 2: Quantify the concentration risk {#step-2}

Heatmap by average and maximum recovery time. Which components have no replacement plan today? Those are the ESA-reportable ones.

Step 3: Technically validate alternatives {#step-3}

Name and lab-test at least one European replacement path per service. Open-Xchange instead of Exchange, Nextcloud instead of SharePoint, Keycloak instead of Entra ID, Element/Matrix instead of Teams. Comparable to the stack used in the openDesk reseller partner program.

Step 4: Exit clause with a transition phase {#step-4}

At least 12 months guaranteed data export phase, standard formats, API exports. A five-day termination notice is not supervisory-grade.

Step 5: Annual exit exercise {#step-5}

Migrate a real department. Document the result. The JETs will ask for exactly these exercises.

Step 6: Consolidate four-regime documentation {#step-6}

GDPR, NIS2, DORA, BSI IT-Grundschutz or C5 in one database. Background in BSI IT-Grundschutz and Microsoft 365.

Defined terms

DORA: Digital Operational Resilience Act, EU Regulation 2022/2554, applicable since 17 January 2025. Targets the digital operational resilience of the EU financial sector.
CTPP: Critical ICT Third-Party Provider. A vendor whose failure would have systemic consequences for the European financial sector. Designation by the ESAs under Art. 31(9) DORA, first list published on 18 November 2025.
JET (Joint Examination Team): Examination team made up of EBA, EIOPA and ESMA staff that operationally supervises a designated CTPP.
Lead Overseer: Lead authority per CTPP. For Microsoft, one of the three ESAs depending on the dominant service segment.
Article 28 exit strategy: Contractually fixed, regularly tested plan to replace an ICT third-party provider within a supervisory-grade timeframe – without service interruption, without data loss, in a format an alternative provider can process.
Concentration risk: Supervisory risk arising from bundling critical functions with a single provider. Quantitatively recorded in the DORA register.

Where europioneer fits in

europioneer operates a European sovereign replacement stack based on Nextcloud, Open-Xchange, Element/Matrix, Keycloak and Collabora Online – as a managed hosted service in German and EU data centres, without hyperscaler sub-processors. For banks and insurance companies we take on the technical validation in step 3 and the annual exit exercise in step 5 – including the migration of a real department off Exchange Online and SharePoint onto the European stack, documented in a format the JETs can read. Component overview at /en/alternativen, packages and pricing at /en/pricing.

Bottom line

2026 is the year DORA moves from paper to audit. The ESA supervisors have officially put Microsoft under observation – but they are not auditing Microsoft, they are auditing the German bank that has not honestly quantified its Microsoft footprint. The Microsoft concentration-risk framework from February 2026 is good material – but it is not a German institution's exit strategy. Anyone who has to produce an ESA-auditable answer in 2026 cannot avoid running a European replacement stack in test and pilot mode.

Request an exit-strategy workshop →

Related posts:

openDesk Leaves the Federal Bureaucracy – ZenDIS Opens the Sovereign Workspace to SMEs

Since May 2026, distributors are allowed to sell openDesk to SMEs. What the ZenDIS suite delivers, how it replaces Microsoft 365, and how to pilot it.

Nextcloud for SMEs – The Secure Alternative to OneDrive and SharePoint

Nextcloud provides everything SMEs need for file management, team collaboration, and communication — on their own servers, GDPR-compliant.