EU designates 19 tech providers as critical infrastructure

The EU’s recent naming of 19 third-party companies as “critical” tech providers was viewed by industry experts in the U.S. in a different light following the disruption caused by the Nov. 18 Cloudflare outage, which came on the heels of an AWS issue in October.

By naming large providers such as AWS, Google Cloud, and Microsoft as critical providers under the EU’s Digital Operational Resilience Act (DORA), the EU formally acknowledged that certain technology companies are essential infrastructure — just like power grids or telecoms.

“It also gives regulators the ability to directly oversee resilience, including governance, incident response, backup integrity, and failover capability,” said Heath Renfrow, co-founder and CISO at Fenix24. “The modern financial system is entirely dependent on a small cluster of cloud, identity, and software providers. A single failure — whether from an outage, cyberattack, or a configuration cascade — can halt payments, trading, claims processing, and core banking services across an entire region.”

John Carberry, solution sleuth at Xcape, Inc, said the move by the EU directly addresses the risks of market concentration and potential widespread outages. In practice, Carberry said these providers will face supervisory testing, mandatory incident reporting, and heightened resilience requirements, placing responsibilities on the providers themselves, not just the banks.

Carberry added that while the U.S. relies on third-party risk guidance from agencies like the Office of the Comptroller of the Currency, Federal Reserve Bank, and the Federal Deposit Insurance Corporation, it lacks a DORA-like framework with formal designation and oversight of cloud and ICT providers.

“The advantages of such a system are evident, especially after significant cloud and content delivery network disruptions,” said Carberry. “Direct oversight could mitigate single points of failure, standardize testing procedures, and improve cross-sector incident coordination, assuming transparent APIs and data portability are in place to prevent vendor lock-in.”

Michael Bell, chief executive officer at Suzu Labs, said the CrowdStrike incident in 2024 proved that a single vendor's software update can ground airlines and freeze financial systems globally, so the question isn't whether this could work in the U.S., but how many more catastrophic outages we'll endure before congressional hearings force the designation anyway?

“What critical infrastructure designation means is that there will be regulatory oversight of redundancy requirements, mandatory incident disclosure, security standards enforcement, and restrictions on service shutdowns during active operations,” said Bell. “The U.S. will get here after the next major outage generates enough political pressure, at which point we'll discover voluntary frameworks aren't enforceable when the entire financial sector depends on three cloud providers competing for profit margins.”

Bell added that more regulation is “necessary,” but not necessarily "good" in the sense of being ideal policy. The EU has acknowledged that when a handful of tech companies control the infrastructure that entire economic sectors depend on, we can't treat them like optional services anymore:  

“Banks can't process payments when AWS is down,” said Bell. “Hospitals can't access patient records when cloud providers fail. That's the definition of critical infrastructure.”